Profile Applicability:
• Level 1
Description:
The MACs option in the SSH daemon (sshd) configuration specifies the Message Authentication Codes used to verify the integrity of SSH communications. Configuring strong MAC algorithms protects against tampering and ensures data authenticity.
Rationale:
Using robust MAC algorithms strengthens session security by preventing unauthorized modifications and replay attacks during SSH sessions.
Impact:
Pros:
Enhances data integrity and session security.
Supports compliance with security best practices.
Cons:
May reduce compatibility with older SSH clients.
Default Value:
Default MAC settings vary; older defaults may include weaker algorithms.
Pre-requisites:
Root or sudo privileges to modify SSH daemon configuration.
Remediation:
Test Plan:
Using Linux command line:
Check current MACs configuration in /etc/ssh/sshd_config:
grep ^MACs /etc/ssh/sshd_config
Review the list of enabled MAC algorithms.
Implementation Plan:
Using Linux command line:
Edit /etc/ssh/sshd_config:
vi /etc/ssh/sshd_config
Add or update the MACs directive with strong algorithms, for example:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
Save the file and restart sshd:
systemctl restart sshd
Verify the configuration:
grep ^MACs /etc/ssh/sshd_config
Backout Plan:
Using Linux command line:
Revert to previous MAC settings if necessary.
Restart sshd and verify client compatibility.
References: