should ssh MACs be updated?

[shawndwells]

Common criteria list only allows:

#echo -e "MACs hmac-sha2-256,hmac-sha2-512" >> $CONFIG

But rule has:

Only the following message authentication codes are FIPS 140-2 certified on {{{ full_name }}}:
    <br />- hmac-sha1
    <br />- hmac-sha2-256
    <br />- hmac-sha2-512
    <br />- hmac-sha1-etm@openssh.com
    <br />- hmac-sha2-256-etm@openssh.com
    <br />- hmac-sha2-512-etm@openssh.com
    <br /><br />

ref: guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml

[yuumasato]

This is configured by rule harden_sshd_crypto_policy, implemented in #4663

[shawndwells]

That PR does not specifically evaluate the SSH config file. This still seems relevant.

[yuumasato]

That PR does not specifically evaluate the SSH config file.

There is no need to, it is done by system-wide crypto policy.

The MAC algorithms (-oMACs=hmac-sha2-256,hmac-sha2-512) are set in line and put into file /etc/crypto-policies/local.d/opensshserver-ospp.config.
Then update-crypto-policies command will put them into effect, more details in rule description.

[yuumasato]

#4676, sets the baseline crypto-policy to FIPS. Which, for SSHD, is not technically necessary as #4663 overrides the policy to use stricter set of algorithms.

End result is crypto-policy FIPS for all backends, plus stricter settings for SSHD.