The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-39415	SRG-OS-000250-ESXI5	SV-51273r2_rule		High

Description
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.

STIG	Date
VMware ESXi Server 5.0 Security Technical Implementation Guide	2017-01-06

Details

Check Text ( C-46689r2_chk )
Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # grep -i macs /etc/ssh/sshd_config Re-enable lock down mode. If the command returns nothing, or the returned list contains MACs other than a variant of the hmac-sha1 or hmac-sha2 format, this is a finding.

Fix Text (F-44428r2_fix)
Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # vi /etc/ssh/sshd_config Add/modify the attribute line entry to the following (quotes for emphasis only): "MACs " The above list "may" include any number of the following (current) comma-separated variants: hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, hmac-sha2-512-96. Re-enable lock down mode.

Fix Text (F-44428r2_fix)

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s):
# vi /etc/ssh/sshd_config

Add/modify the attribute line entry to the following (quotes for emphasis only):
"MACs "
The above list "may" include any number of the following (current) comma-separated variants: hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, hmac-sha2-512-96.

Re-enable lock down mode.