5.2.11 Ensure only approved MAC algorithms are used

Information

This variable limits the types of MAC algorithms that SSH can use during communication. MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information

Solution

Edit the /etc/ssh/sshd_config file to set the parameter as follows: MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

See Also

https://workbench.cisecurity.org/files/1866

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13, CSCv6|3.4

Plugin: Unix

Control ID: 373d908cd0058696da5ff98610ca53aec9471053539bfbf4fffbf597ac10aede