The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.

STIG ID: APPL-13-000058  |  SRG: SRG-OS-000033-GPOS-00014 |  Severity: high |  CCI: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-002890,CCI-003123 |  Vulnerability Id: V-257294

Vulnerability Discussion

Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.

For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00175

Check

Verify the macOS system is configured to use approved SSH MACs within the SSH client configuration with the following command:

/usr/bin/sudo /usr/bin/grep -ir "macs" /etc/ssh/ssh_config*

/etc/ssh/ssh_config.d/fips_ssh_config:Macs hmac-sha2-256

If any hashes other than "hmac-sha2-256" are listed, or the "macs" keyword is missing, this is a finding.

Fix

Configure the macOS system to use approved SSH MACs by creating a plain text file in the /private/etc/ssh/ssh_config.d/ directory containing the following:

MACs hmac-sha2-256

The SSH service must be restarted for changes to take effect.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.