UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22460 GEN005507 SV-35220r1_rule DCNR-1 Medium
Description
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.
STIG Date
HP-UX 11.31 Security Technical Implementation Guide 2013-06-27

Details

Check Text ( C-36635r1_chk )
Check the SSH daemon configuration for allowed MACs. Note that keywords are case-insensitive and arguments (args) are case-sensitive.

keyword=MACs
arg(s)=hmac-sha1

Default values include: "hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-ripemd168"

Note: When the default "arg" value exactly matches the required "arg" value (see above), the entry is not required to exist (commented or uncommented) in the ssh (client) or sshd (server) configuration file. While not required, it is recommended that the configuration file(s) be populated with all keywords and assigned arg values as a means to explicitly document the ssh(d) binary's expected behavior.

Examine the file.
# cat /opt/ssh/etc/sshd_config | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | egrep -i "macs"

If the returned configuration MACs list contains any MAC other than hmac-sha1, this is a finding.
Fix Text (F-32005r1_fix)
Edit the SSH daemon configuration and remove any MACs other than hmac-sha1. If necessary, add a MACs line.