How to enforce strong SSH MAC algorithms

Enforcing strong SSH message authentication code (MAC) algorithms protects management traffic against tampering and forgeries, ensuring configuration changes, file transfers, and administrative commands are not silently modified in transit. Tight MAC selection reduces exposure to older constructions with weaker integrity properties and aligns remote access with modern cryptographic policy baselines.

In OpenSSH, MAC negotiation occurs alongside key exchange and ciphers; the server proposes its configured MACs list, the client sends its own preferences, and both sides agree on a common algorithm. The MACs directive in /etc/ssh/sshd_config controls which algorithms the server is willing to use, so explicitly defining a hardened set prevents fallback to weaker options such as hmac-sha1 or legacy MD5-based modes.

Restricting MAC algorithms can affect compatibility with older clients, embedded systems, and network appliances that do not support modern hmac-sha2-256 or hmac-sha2-512 variants or the newer encrypt-then-MAC constructions. Before enforcing a strict MAC policy, ensure console or out-of-band access exists, take backups of SSH configuration, and plan a maintenance window so misconfiguration or client incompatibility does not cause an extended lockout.

1. Open a terminal with privileges that allow editing SSH daemon configuration.

   $ whoami
   admin

2. Inspect the MAC algorithms currently enabled in the SSH daemon effective configuration.

   $ sudo sshd -T | grep macs
   macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1

   The sshd -T output shows the effective configuration after all includes and defaults are applied.

3. Create a timestamped backup of the current SSH daemon configuration file.

   $ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak-$(date +%F)

   Accidentally removing all acceptable authentication or MAC options in /etc/ssh/sshd_config can prevent new SSH logins until the backup is restored locally.

4. Open the SSH daemon configuration file /etc/ssh/sshd_config in a text editor with root privileges.

   $ sudo nano /etc/ssh/sshd_config

5. Add or update the MACs directive so only strong algorithms are permitted.

   MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

   Removing hmac-sha1 and older algorithms may block legacy clients that have not been updated to support hmac-sha2* MACs.

6. Save the changes in the editor and close the configuration file.

   Ensure no additional MACs directives remain elsewhere in the file to avoid confusion about which setting is effective.

7. Validate the sshd configuration syntax before applying the new MAC policy.

   $ sudo sshd -t

   No output from sshd -t indicates the configuration passes syntax checks.

8. Reload the SSH daemon to apply the hardened MAC configuration without dropping existing sessions.

   $ sudo systemctl reload ssh

   On systems where the service is named sshd instead of ssh, run sudo systemctl reload sshd.

9. Confirm from a separate system that connections negotiate one of the configured strong MAC algorithms.

   $ ssh -vv admin@server.example.com exit
   ##### snipped #####
   debug1: kex: algorithm: curve25519-sha256
   debug1: kex: host key algorithm: ecdsa-sha2-nistp256
   debug1: kex: algorithm: curve25519-sha256
   debug1: kex: MAC: hmac-sha2-256-etm@openssh.com
   ##### snipped #####
   Connection to server.example.com closed.

   Verification from an independent client confirms that the hardened MACs configuration is being enforced and that at least one strong algorithm is successfully negotiated.