Detections
Analytics

5.1.30 Ensure sshd is configured to use only FIPS-validated key exchange algorithms

Information

SSH server should be configured to use only FIPS-validated key exchange algorithms.

Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.

RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file . The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.

The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.

Solution

Edit the /etc/crypto-policies/back-ends/opensshserver.config file and add/modify the KexAlgorithms to use only FIPS-validated key exchange algorithms:

-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

A reboot is required for the changes to take effect.

See Also

https://workbench.cisecurity.org/benchmarks/19886

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17, 800-53|AC-17(2), CAT|II, CSCv7|14.4, Rule-ID|SV-255924r917888_rule, Vuln-ID|V-255924

Plugin: Unix

Control ID: f66c0dbba60856fcd1da353033c634fa2ff40ddd83d726cb4ca8184857e3eb28