mac-alg

This command specifies the MAC algorithms to accept for encryption when an SSH client with no SFTP client policy in the user agent.

Syntax

Add a MAC algorithm.: mac-alg algorithm
Delete a MAC algorithm.: no mac-alg algorithm
Clear all defined MAC algorithms and use the default algorithms.: no mac-alg

Parameters

algorithm

Specifies the SSH MAC algorithms to use in SSH communication. The order of algorithms is important. The server compares its list to the client list in order of preference. The first algorithm in the client list is chosen when also supported by the server.

The algorithms in the following table are supported. You can change the preference order of cipher suites. When you enter the algorithms, use the value in the second column. The third column indicates whether the algorithm is a default algorithm.

Table 1. Supported SSH MAC algorithms in default order of preference
Algorithm	Values to enter	Is default?
`umac-64@openssh.com`	`UMAC-64_AT_OPENSSH.COM`	Yes
`umac-128@openssh.com`	`UMAC-128_AT_OPENSSH.COM`	Yes
`hmac-sha2-256`	`HMAC-SHA2-256`	Yes
`hmac-sha2-512`	`HMAC-SHA2-512`	Yes
`hmac-sha1`	`HMAC-SHA1`	Yes
`umac-64-etm@openssh.com`	`UMAC-64-ETM_AT_OPENSSH.COM`	No
`umac-128-etm@openssh.com`	`UMAC-128-ETM_AT_OPENSSH.COM`	No
`hmac-sha2-256-etm@openssh.com`	`HMAC-SHA2-256-ETM_AT_OPENSSH.COM`	No
`hmac-sha2-512-etm@openssh.com`	`HMAC-SHA2-512-ETM_AT_OPENSSH.COM`	No
`hmac-sha1-etm@openssh.com`	`HMAC-SHA1-ETM_AT_OPENSSH.COM`	No

Guidelines

The mac-alg command specifies the message authentication codes (MAC) algorithms to accept for encryption when an SSH client with no SFTP client policy in the user agent of the XML manager. Changes to the algorithms affect only new connections, not existing connections.

SSH client profiles are associated with SFTP client policies in the user agent. The algorithms in the SSH domain client profile are for SFTP connections only when the SFTP request matches no SFTP client policy. With an associated SFTP client policy, the algorithms in SSH client profile cipher command override these algorithms.

When you define an SSH client profile and specify algorithms, these algorithms override the ones in the SSH domain client profile.
When you define an SSH client profile and specify no algorithms, the DataPower® Gateway uses its default algorithms instead of the ciphers in the SSH domain client profile.

To specify multiple algorithms, run this command for each algorithm. Adding new algorithm does not delete existing ones. The new algorithms are always appended to the list.

You can use the no mac-alg command to clear all the algorithms in the profile. When all algorithms are cleared, the default algorithms are used. The default algorithms are the same as listed in the previous table.

Examples

Delete the hmac-sha1 algorithm.
```
# no mac-alg HMAC-SHA1
```
Clear all default algorithms and add the umac-128-etm@openssh.com, hmac-sha2-512-etm@openssh.com, and hmac-sha2-256-etm@openssh.com algorithms in order of preference.
```
# no mac-alg
# mac-alg UMAC-128-ETM_AT_OPENSSH.COM
# mac-alg HMAC-SHA2-512-ETM_AT_OPENSSH.COM
# mac-alg HMAC-SHA2-256-ETM_AT_OPENSSH.COM
```