Rule sshd_use_strong_macs adds unsupported hmac-ripemd160 on OpenSSH ≥ 7.6 #14363
Description
Description of problem:
The rule xccdf_org.ssgproject.content_rule_sshd_use_strong_macs - Use Only Strong MACs limits MACs to strong hash algorithms.
When applying the rule remediation, it will add in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:
hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
However, when the SSH service is restarted, it will fail because of ‘hmac-ripemd160’ as it is no longer supported as of OpenSSH version 7.6.
SCAP Security Guide Version:
v0.1.79
Operating System Version:
Ubuntu 24.04
Steps to Reproduce:
- Apply the remediation for rule
xccdf_org.ssgproject.content_rule_sshd_use_strong_macs - Start/restart the SSH service
- Check the SSH service
- Remove hmac-ripemd160 from
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
Actual Results:
The SSH service fails because of hmac-ripemd160 as it is no longer supported from OpenSSH version 7.6 onwards.
Expected Results:
The SSH service should be running correctly.
Additional Information/Debugging Steps:
I think we need to adapt the Ansible and Shell remediation scripts to check the OpenSSH version beforehand and decide whether or not to apply ‘hmac-ripemd160’ in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.