5.1.6 Ensure sshd Ciphers are configured

Information

This variable limits the ciphers that SSH can use during communication.

Notes:

- Some organizations may have stricter requirements for approved ciphers.
- Ensure that ciphers used are in compliance with site policy.
- The only "strong" ciphers currently FIPS 140-3 compliant are:
- [email protected] mailto:[email protected]
- [email protected] mailto:[email protected]
- aes256-ctr
- aes128-ctr

Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.

- The Triple DES ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain clear text data via a birthday attack against a long-duration encrypted session, aka a "Sweet32" attack.
- Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plain text data from an arbitrary block of cipher text in an SSH session via unknown vectors.

Solution

Note:

- First occurrence of an option takes precedence.
- Though ciphers may be configured through the Ciphers option in the /etc/ssh/sshd_config file, it is recommended that the ciphers available to openSSH server are configured through system-wide-crypto-policy
- If the recommendations in the subsection "Configure system wide crypto policy" have been followed, this Audit should be in a passing state. Please review that section before following this Remediation Procedure
- By default, system-wide-crypto-policy is applied to the openSSH server. If the following defaults don't exist due to modifications or upgrade from a earlier release, the system-wide-crypto-policy may not be included by the openSSH server. It is recommended that these defaults be restored, created, or the line Include /etc/crypto-policies/back-ends/opensshserver.config be added before any lines containing the Cipher argument.
- Defaults:
- The file /etc/ssh/sshd_config includes the line: Include /etc/ssh/sshd_config.d/*.conf . This line must appear before any lines containing the Cipher argument
- This directory /etc/ssh/sshd_config.d/ includes a file /etc/ssh/sshd_config.d/50-redhat.conf
- The file /etc/ssh/sshd_config.d/50-redhat.conf includes the line Include /etc/crypto-policies/back-ends/opensshserver.config
- The file /etc/crypto-policies/back-ends/opensshserver.config is generated by system-wide-crypto-policy

Create or edit a file in /etc/crypto-policies/policies/modules/ ending in .pmod and add or modify the the following line:

cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC

Example:

# printf '%s\n' "# This is a subpolicy to disable weak ciphers" "# for the SSH protocol (libssh and OpenSSH)" "cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC" >> /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod

Run the following command to update the system-wide cryptographic policy

# update-crypto-policies --set <CRYPTO_POLICY>:<CRYPTO_SUBPOLICY1>:<CRYPTO_SUBPOLICY2>:<CRYPTO_SUBPOLICY3>

Example:

# update-crypto-policies --set DEFAULT:NO-SHA1:NO-WEAKMAC:NO-SSHCBC:NO-SSHWEAKCIPHERS

Run the following command to reload the openSSH server to make your cryptographic settings effective:

# systemctl reload-or-restart sshd

- OR - If system-wide-crypto-policy is not being used to configure available ciphers ( This is not recommended )

Edit the /etc/ssh/sshd_config file and add/modify the Ciphers line to contain a comma separated list of the site unapproved (weak) Ciphers preceded with a - above any Include entries:

Example:

Ciphers -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc

Item Details

Audit Name: CIS Rocky Linux 10 v1.0.0 L1 Server

Category: ACCESS CONTROL, MAINTENANCE

Plugin: Unix

Control ID: 7ec90ca09ac4531d273168bbdd05b1da6af28a8152fb42a282864cca4b5a57b5

Detections

Analytics

5.1.6 Ensure sshd Ciphers are configured

Information

Solution

See Also

Item Details