Setting MACs setting in /etc/ssh/sshd_config on Amazon Linux

Question

We are going through the process of hardening Amazon Linux 1 based on CIS.

Control 5.2.12 states under "Expected Values" :

The following List String value(s) X indicate the current status of the MACs setting defined within the /etc/ssh/sshd_config file.

======Expected Value(s)======
contains regular expression list
hmac-sha2-512-etm@openssh.com
hmac-sha2-256-etm@openssh.com
umac-128-etm@openssh.com
hmac-sha2-512 hmac-sha2-256
umac-128@openssh.com
curve25519-sha256@libssh.org
diffie-hellman-group-exchange-sha256

Based on this RHEL documentation of the setting, we appended the following to /etc/ssh/sshd_config:

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

/etc/init.d/sshd restart results in the following error:

Starting sshd: /etc/ssh/sshd_config line 142: Bad SSH2 Mac spec 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'. [FAILED]

How do we configure SSHD MACs on Amazon Linux?

Answer 1

That log entry indicates that your version of OpenSSH didn't recognize one or more of the MAC algorithms you specified.

Given that it's Amazon Linux, I would guess it's going to be anything related to curve25519. Otherwise, you can try adding them one at a time until it fails to start again, then you will know which is the cause.