Skip to main content
Question

SSH Weak Message Authentication Code Algorithms


Forum|alt.badge.img+12
  • Valued Contributor
  • 139 replies

Our risk/vulnerability software kept flagging my Macs server with a low risk "SSH Weak Message Authentication Code Algorithms". I didn't see any Mac specific articles out there. Posting the "fix" that worked for my environment here. 

 

By default macOS sshd includes the following "insecure" Message Authentication Code (MAC) algorithms for SSH:

umac-64-etm@openssh.com
hmac-sha1-etm@openssh.com
umac-64@openssh.com
hmac-sha1

 

The fix is to set /etc/ssh/sshd_config to use the secure MAC Algorithms. 

Appending to the end of the file worked in macOS 12 and 13. 

echo "MACS umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config

My Mac servers reboot nightly I did not need to worry about registering SSH/Remote Login.  

 

 

Related Query/Commands:

List all MAC address algorithms available in the local system

ssh -Q mac

 

The sshd config file has its own man page with details/defaults: 

man sshd_config

 

Test/Scan for weak SSH MAC algorithms using a nMap script: https://nmap.org/nsedoc/scripts/ssh2-enum-algos.html 

 

How this helps someone out there!

 

2 replies

boberito
Forum|alt.badge.img+22
  • Jamf Heroes
  • 449 replies
  • July 18, 2022

Forum|alt.badge.img+3
  • New Contributor
  • 3 replies
  • July 19, 2022

Network penetration tests frequently raise the issue of SSH weak MAC algorithms. These algorithms exist in the majority of SSH configurations and are generally considered Low Risk.

 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings