Setting MACs setting in /etc/ssh/sshd_config on Amazon Linux

Lightbeard asked:

We are going through the process of hardening Amazon Linux 1 based on CIS.

Control 5.2.12 states under “Expected Values” :

The following List String value(s) X indicate the current
status of the MACs setting defined within the
/etc/ssh/sshd_config file.

======Expected Value(s)======
contains regular expression list
[email protected]
[email protected]
[email protected]
hmac-sha2-512 hmac-sha2-256
[email protected]
[email protected]

Based on this RHEL documentation of the setting, we appended the following to /etc/ssh/sshd_config:

MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected],[email protected],diffie-hellman-group-exchange-sha256

Restarting SSHD results in the following error:

Starting sshd: /etc/ssh/sshd_config line 142: Bad SSH2 Mac spec
[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected],[email protected],diffie-hellman-group-exchange-sha256’. [FAILED]

How do we configure SSHD MACs on Amazon Linux?

My answer:

That log entry indicates that your version of OpenSSH didn’t recognize one or more of the MAC algorithms you specified.

Given that it’s Amazon Linux, I would guess it’s going to be anything related to curve25519. Otherwise, you can try adding them one at a time until it fails to start again, then you will know which is the cause.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.