We're currently using CA PAM 2.6 and while apply security benchmarks to our RHEL 6 hosts I've found that PAM supports a rather limited list of MAC algorithms.
The security benchmark we use for RHEL 6 requires the MAC algorithms to be limited to the following.
hmac-sha2-512,hmac-sha2-256
There are a few other algorithms allowed, but they aren't supported by OpenSSH 5.3p1 which is shipped in RHEL 6.
PAM 2.6 supports the following MACs according to the error message I received.
'mac-algorithms-cli2srv', our's: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96,hmac-ripemd160, peer's: hmac-sha2-256,hmac-sha2-512
Does PAM 2.7 or 2.8 support any SHA2 MAC algorithms for SSH?