Insecure MAC algorithms in use: hmac-sha1-etm@openssh.com,hmac-sha1

crkratos · October 30, 2025, 10:05pm

I need help. How do I format the pmod file to disable hmac-sha1-etm@openssh.com and hmac-sha1 together using the update-crypto-policies --set name.pmod. I can get the hmac-sha1 to stick but the other I get Bad value of policy property `mac’ when trying to combine them together in one file. Any suggestions or advice would be appreciate. Thank you Carlos

jlehtone · October 31, 2025, 10:17am

# sshd -T | grep mac
macs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
# touch /etc/crypto-policies/policies/modules/TEST.pmod
# echo "mac = -HMAC-SHA1" > /etc/crypto-policies/policies/modules/TEST.pmod
# update-crypto-policies --show
LEGACY
# update-crypto-policies --set LEGACY:TEST
# sshd -T | grep mac
macs hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,umac-128@openssh.com,hmac-sha2-512

Is that what you are looking for?

crkratos · October 31, 2025, 7:17pm

Yes thank you. I found out there was another way to do it.

update-crypto-policies --set DEFAULT:NO-SHA1

Thank you for the help. Carlos

Topic		Replies	Views
Hmac-md5-96 bit need to be disable Rocky Linux Help & Support	4	2548	April 9, 2024
Bug in crypto-policies re ssh key exchange algorithms: should I report upstream? Rocky Linux Help & Support	2	1200	August 25, 2023
Having issues with security hardening Rocky Linux Help & Support rocky-linux-8	7	2048	December 31, 2023
Unable to remove cipher suites from ssh Rocky Linux Help & Support	15	9180	August 25, 2023
Custom crypto backend file for second sshd process Rocky Linux Help & Support rocky-linux-9	2	444	October 18, 2024

Insecure MAC algorithms in use: hmac-sha1-etm@openssh.com,hmac-sha1

Related topics