The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22463	GEN005512	SV-35210r1_rule	DCNR-1	Medium

Description
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.

STIG	Date
HP-UX 11.31 Security Technical Implementation Guide	2013-03-28

Details

Check Text ( C-36638r1_chk )
Check the SSH client configuration for allowed MACs. Note that keywords are case-insensitive and arguments (args) are case-sensitive. keyword=MACs arg(s)=hmac-sha1 Default values include: "hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-ripemd168" Note: When the default "arg" value exactly matches the required "arg" value (see above), the entry is not required to exist (commented or uncommented) in the ssh (client) or sshd (server) configuration file. While not required, it is recommended that the configuration file(s) be populated with all keywords and assigned arg values as a means to explicitly document the ssh(d) binary's expected behavior. Examine the file. # cat /opt/ssh/etc/ssh_config \| tr '\011' ' ' \| tr -s ' ' \| sed -e 's/^[ \t]*//' \| grep -v '^#' \| egrep -i "macs" If the MACs list contains any MAC other than hmac-sha1, this is a finding.

Check Text ( C-36638r1_chk )

Check the SSH client configuration for allowed MACs. Note that keywords are case-insensitive and arguments (args) are case-sensitive.

keyword=MACs
arg(s)=hmac-sha1

Default values include: "hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-ripemd168"

Note: When the default "arg" value exactly matches the required "arg" value (see above), the entry is not required to exist (commented or uncommented) in the ssh (client) or sshd (server) configuration file. While not required, it is recommended that the configuration file(s) be populated with all keywords and assigned arg values as a means to explicitly document the ssh(d) binary's expected behavior.

Examine the file.
# cat /opt/ssh/etc/ssh_config | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | egrep -i "macs"

If the MACs list contains any MAC other than hmac-sha1, this is a finding.

Fix Text (F-32009r1_fix)
Edit the SSH client configuration and remove any MACs other than hmac-sha1. If necessary, add a MACs line.