SSH Weak Message Authentication Code Algorithms

Contributor III

Our risk/vulnerability software kept flagging my Macs server with a low risk "SSH Weak Message Authentication Code Algorithms". I didn't see any Mac specific articles out there. Posting the "fix" that worked for my environment here. 


By default macOS sshd includes the following "insecure" Message Authentication Code (MAC) algorithms for SSH:


The fix is to set /etc/ssh/sshd_config to use the secure MAC Algorithms. 

Appending to the end of the file worked in macOS 12 and 13. 

echo "MACS,,,,hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config

My Mac servers reboot nightly I did not need to worry about registering SSH/Remote Login.  



Related Query/Commands:

List all MAC address algorithms available in the local system

ssh -Q mac


The sshd config file has its own man page with details/defaults: 

man sshd_config


Test/Scan for weak SSH MAC algorithms using a nMap script: 


How this helps someone out there!



New Contributor II

Network penetration tests frequently raise the issue of SSH weak MAC algorithms. These algorithms exist in the majority of SSH configurations and are generally considered Low Risk.