Our risk/vulnerability software kept flagging my Macs server with a low risk "SSH Weak Message Authentication Code Algorithms". I didn't see any Mac specific articles out there. Posting the "fix" that worked for my environment here.
By default macOS sshd includes the following "insecure" Message Authentication Code (MAC) algorithms for SSH:
umac-64-etm@openssh.com
hmac-sha1-etm@openssh.com
umac-64@openssh.com
hmac-sha1
The fix is to set /etc/ssh/sshd_config to use the secure MAC Algorithms.
Appending to the end of the file worked in macOS 12 and 13.
echo "MACS umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config
My Mac servers reboot nightly I did not need to worry about registering SSH/Remote Login.
Related Query/Commands:
List all MAC address algorithms available in the local system
ssh -Q mac
The sshd config file has its own man page with details/defaults:
man sshd_config
Test/Scan for weak SSH MAC algorithms using a nMap script: https://nmap.org/nsedoc/scripts/ssh2-enum-algos.html
How this helps someone out there!
