Detections
Analytics
UBTU-22-255060 - Ubuntu 22.04 LTS SSH server must be configured to use only FIPS-validated key exchange algorithms.
Information
Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.
Solution
Configure the SSH server to use only FIPS-validated key exchange algorithms.Add or modify the following line in the "/etc/ssh/sshd_config" file:
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
Restart the SSH server for changes to take effect:
$ sudo systemctl restart sshd.service
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_22-04_LTS_V2R8_STIG.zip
Item Details
Audit Name: DISA Canonical Ubuntu 22.04 LTS STIG v2r8
Category: ACCESS CONTROL
References: 800-53|AC-17(2), CAT|II, CCI|CCI-000068, Rule-ID|SV-260533r958408_rule, STIG-ID|UBTU-22-255060, Vuln-ID|V-260533
Plugin: Unix
Control ID: 007a14ca715cbd64752c067df8f0b85cb9ed78291215dd3a4dd133894ecf1fee