GEN005505 - The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.

Information

DoD information systems are required to use FIPS 140-2 approved ciphers. SSHv2 ciphers meeting this requirement are 3DES and AES.

Solution

Edit /etc/ssh/sshd_config and add or edit the 'Ciphers' line. Only include ciphers that start with '3des' or 'aes' and do not contain 'cbc'. For the list of available ciphers for the particular version of your software, consult the sshd_config manpage.
Restart the SSH daemon.

See Also

http://iasecontent.disa.mil/stigs/zip/U_STIG_Library_2015_07.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(2), CAT|II, CCI|CCI-000068, Rule-ID|SV-26751r1_rule, STIG-ID|GEN005505, Vuln-ID|V-22458

Plugin: Unix

Control ID: 5c8bf4982718393ad90d48a6d6092e67e9d9504665d2d61cad4d96be8dff5c00