APPL-11-000056 - The macOS system must implement an approved Key Exchange Algorithm.


Unapproved mechanisms for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity, resulting in the compromise of DoD data.

Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.

The implementation of OpenSSH that is included with macOS does not utilize a FIPS 140-2 validated cryptographic module. While the listed Key Exchange Algorithms are FIPS 140-2 approved, the module implementing them has not been validated.

By specifying a Key Exchange Algorithm list with the order of hashes being in a 'strongest to weakest' orientation, the system will automatically attempt to use the strongest Key Exchange Algorithm for securing SSH connections.

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174


Configure SSH to use a secure Key Exchange Algorithm.

To ensure that 'KexAlgorithms' set correctly, run the following command:

/usr/bin/sudo /usr/bin/grep -q '^KexAlgorithms' /etc/ssh/sshd_config && /usr/bin/sudo /usr/bin/sed -i.bak 's/^KexAlgorithms.*/KexAlgorithms diffie-hellman-group-exchange-sha256/' /etc/ssh/sshd_config || /usr/bin/sudo /usr/bin/sed -i.bak '/.*Ciphers and keying.*/a'$'
''KexAlgorithms diffie-hellman-group-exchange-sha256'$'
' /etc/ssh/sshd_config

The SSH service must be restarted for changes to take effect.

See Also

Item Details


References: 800-53|AC-17(2), 800-53|AC-19e., 800-53|IA-7, 800-53|MA-4(6), CAT|II, CCI|CCI-000068, CCI|CCI-000087, CCI|CCI-000803, CCI|CCI-002890, CCI|CCI-003123, Rule-ID|SV-230769r599842_rule, STIG-ID|APPL-11-000056, Vuln-ID|V-230769

Plugin: Unix

Control ID: 4e87cfce04399d46273a79def18ea2dc769d868aef52c579724884f9946ec7a1