← Rules Catalog
highaccess-controlverified rollback-safe

Configure SSH to use FIPS-approved MACs

ssh-macs-fips · RHEL ≥ 8 · 1 impl

Description

The SSH daemon must be configured to use only FIPS 140-2 validated Message Authentication Codes (MACs).

Rationale

FIPS-approved MACs ensure data integrity for SSH sessions. Using only validated MACs prevents manipulation of encrypted traffic.

Check → Remediate

Checkcommand
if ! command -v sshd >/dev/null 2>&1; then exit 0; fi
macs=$(sshd -T 2>/dev/null | awk '/^macs /{print $2}')
echo "$macs" | tr ',' '\n' | grep -qvE '^(hmac-sha2-256|hmac-sha2-512|hmac-sha2-256-etm@openssh\.com|hmac-sha2-512-etm@openssh\.com)$' && {
  echo "FAIL: non-FIPS MAC in effective config: $macs"
  exit 1
}
echo "OK: $macs"
expected_exit:
0
Remediateconfig_set_dropin
dir:
/etc/ssh/sshd_config.d
file:
00-kensa-fips-macs.conf
key:
MACs
value:
hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
restart:
sshd

Framework references

STIG

V-281013 / RHEL-10-300060V-257991 / RHEL-09-255075V-230251

NIST 800-53

SC-12SC-13

Live verification

rhel8:checkrhel9:check
#ssh#fips#macs#cryptography#stig