Setting MACs setting in /etc/ssh/sshd_config on Amazon Linux

Question

We are going through the process of hardening Amazon Linux 1 based on CIS.

Control 5.2.12 states under "Expected Values" :

The following List String value(s) X indicate the current status of the MACs setting defined within the /etc/ssh/sshd_config file.

======Expected Value(s)======
contains regular expression list
[email protected]
[email protected]
[email protected]
hmac-sha2-512 hmac-sha2-256
[email protected]
[email protected]
diffie-hellman-group-exchange-sha256

Based on this RHEL documentation of the setting, we appended the following to /etc/ssh/sshd_config:

MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected],[email protected],diffie-hellman-group-exchange-sha256 

/etc/init.d/sshd restart results in the following error:

Starting sshd: /etc/ssh/sshd_config line 142: Bad SSH2 Mac spec '[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected],[email protected],diffie-hellman-group-exchange-sha256'. [FAILED]

How do we configure SSHD MACs on Amazon Linux?

Answer 1

That log entry indicates that your version of OpenSSH didn't recognize one or more of the MAC algorithms you specified.

Given that it's Amazon Linux, I would guess it's going to be anything related to curve25519. Otherwise, you can try adding them one at a time until it fails to start again, then you will know which is the cause.