UCF STIG Viewer Logo

The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.


Overview

Finding ID Version Rule ID IA Controls Severity
V-39403 SRG-OS-000158-ESXI5 SV-51261r3_rule Medium
Description
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.
STIG Date
VMware ESXi Server 5.0 Security Technical Implementation Guide 2017-01-06

Details

Check Text ( C-46677r3_chk )
Disable lock down mode. Enable the ESXi Shell. Execute the following command(s):
# grep -i macs /etc/ssh/ssh_config

Re-enable lock down mode.

If the returned list contains MACs other than a variant of the hmac-sha1 or hmac-sha2 form, this is a finding. If the /etc/ssh/ssh_config file does not exist or the MACs option is not set, this is not a finding.
Fix Text (F-44416r2_fix)
Disable lock down mode. Enable the ESXi Shell. Execute the following command(s):
# vi /etc/ssh/ssh_config

Add/modify the attribute line entry to the following (quotes for emphasis only):
"MACs "
The above list "may" include any number of the following (current) comma-separated variants: hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, hmac-sha2-512-96.

Re-enable lock down mode.