mediumaccess-controlverified ✓rollback-safe
Configure the SSH client to use FIPS-approved MACs (Ubuntu)
ssh-client-macs-fips-ubuntu · UBUNTU ≥ 22 · 1 impl
Description
The SSH client (/etc/ssh/ssh_config) must be configured to use only FIPS 140-3 approved MACs.
Rationale
Restricting the SSH client to FIPS-approved MACs prevents negotiation of a weaker algorithm when this host initiates an SSH connection.
Check → Remediate
Checkcommand
val=$(grep -iE '^[[:space:]]*MACs ' /etc/ssh/ssh_config 2>/dev/null | awk '{print $2}' | tail -1)
if [ -z "$val" ]; then
echo "FAIL: MACs not set in /etc/ssh/ssh_config"
exit 1
fi
if echo "$val" | tr ',' '\n' | grep -qvE '^(hmac-sha2-256|hmac-sha2-512|hmac-sha2-256-etm@openssh\.com|hmac-sha2-512-etm@openssh\.com)$'; then
echo "FAIL: non-FIPS MACs in ssh_config: $val"
exit 1
fi
echo "OK: $val"
- expected_exit:
- 0
Remediateconfig_set
- path:
- /etc/ssh/ssh_config
- key:
- MACs
- value:
- hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
- separator:
Framework references
STIG
V-270671 / UBTU-24-100860
NIST 800-53
SC-8SC-13
Live verification
ubuntu24:check
#ssh#client#fips#macs