Detections
Analytics

5.2.6 Ensure sshd Ciphers are configured

Information

Secure Shell (SSH) ciphers are encryption algorithms used by the SSH protocol to secure data transmitted between a client and a server. They protect the privacy and integrity of the connection, using symmetric encryption to encrypt data after a secure session is established. During connection setup, the client and server negotiate to select the strongest available cipher that both support, ensuring the connection is as secure as possible

More information about the openSSH server configuration is available in the "Configure SSH Server" section overview.

Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.

Solution

- Edit the /etc/ssh/sshd_config file and add/modify the Ciphers line to contain a comma separated allow list of the site approved (strong) Ciphers.

Example:

Ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
 - If CVE-2023-48795 has not been reviewed and addressed, also remove [email protected] from the comma separated allow list.

Impact:

A too restrictive list of ciphers can lead to the "no matching cipher found" error during an SSH connection. This error indicates that the SSH client and server are unable to agree on a common cipher to use for the secure communication. This typically occurs due to a mismatch in supported ciphers or when older, less secure ciphers are disabled on one side but still expected by the other.

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: 0a5b13551edcce838e5520c900d7f03297af2096b11cc3698fde43198522dd43