← Rules Catalog
mediumaccess-controlverified rollback-safe

Configure SSH to use FIPS-approved MACs (Ubuntu)

ssh-macs-fips-ubuntu · UBUNTU ≥ 22 · 1 impl

Description

The SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 approved cryptographic hashes. This rule carries the Ubuntu STIG references and remediation value.

Rationale

FIPS-approved MAC algorithms have been validated for integrity protection. Restricting the SSH daemon to the approved set ensures the integrity of transmitted information cannot be undermined by a weaker hash.

Check → Remediate

Checkcommand
command -v sshd >/dev/null 2>&1 || exit 0
macs=$(sshd -T 2>/dev/null | awk '/^macs /{print $2}')
if [ -z "$macs" ]; then
  echo "FAIL: could not read effective MACs (sshd -T needs root)"
  exit 1
fi
if echo "$macs" | tr ',' '\n' | grep -qvE '^(hmac-sha2-256|hmac-sha2-512|hmac-sha2-256-etm@openssh\.com|hmac-sha2-512-etm@openssh\.com)$'; then
  echo "FAIL: non-FIPS MAC in effective config: $macs"
  exit 1
fi
echo "OK: $macs"
expected_exit:
0
Remediateconfig_set_dropin
dir:
/etc/ssh/sshd_config.d
file:
00-kensa-fips-macs.conf
key:
MACs
value:
hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
restart:
sshd

Framework references

STIG

V-270668 / UBTU-24-100830V-260532 / UBTU-22-255055

NIST 800-53

SC-8SC-13

Live verification

ubuntu22:checkubuntu24:checkubuntu26:check
#ssh#fips#macs#cryptography#stig