Catalina - Limit SSH to FIPS 140 Validated Message Authentication Code Algorithms

Information

SSH _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 validated.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements.

Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules.

NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.

Solution

[source,bash]
----
/usr/bin/grep -q '^MACs' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.*MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/ssh_config || /bin/echo 'MACs hmac-sha2-256,hmac-sha2-512' >> /etc/ssh/ssh_config
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-7, 800-53|SC-8(1), 800-53|SC-13, CCE|CCE-84917-4

Plugin: Unix

Control ID: 7854c0e87ef768d99221386796821d1a508bc0ca908d8e4011f66a16787fa9c6