Information
The operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
Rationale:
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.
Solution
Edit the /etc/ssh/sshd_config file to uncomment or add the line for the MACs keyword and set its value to hmac-sha2-256 and/or hmac-sha2-512 (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
Example: vim /etc/ssh/sshd_config
Add, uncomment or update the following line.
MACs hmac-sha2-256,hmac-sha2-512
The SSH service must be restarted for changes to take effect.
# systemctl restart sshd.service
Notes:
This Benchmark recommendation maps to:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide:
Version 2, Release: 3 Benchmark Date: 26 Apr 2019
Vul ID: V-72253
Rule ID: SV-86877r3_rule
STIG ID: RHEL-07-040400
Severity: CAT II