5.2.11 Ensure only approved MAC algorithms are used (Scored)

Level 1 - Server
Level 1 - Workstation 

This variable limits the types of MAC algorithms that SSH can use during communication.

MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information

Run the following command and verify that output does not contain any unlisted MAC algorithms:

# grep "MACs" /etc/ssh/sshd_config 
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected],[email protected],diffie-hellman-group-exchange-sha256

Edit the /etc/ssh/sshd_config file to set the parameter as follows:

MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

More information on SSH downgrade attacks can be found here: http://www.mitls.org/pages/attacks/SLOTH

Some organizations may have stricter requirements for approved ciphers. Ensure that MACs used are in compliance with site policy.

  • ubuntu1604/5/2/11.txt
  • Last modified: 2017/05/04 11:35
  • by