SLEM-05-255055 - SLEM 5 SSH server must be configured to use only FIPS 140-2/140-3 validated key exchange algorithms.

Information

Without cryptographic integrity protections provided by FIPS 140-2/140-3 validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.

The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.

Solution

Configure the SSH server to use only FIPS 140-2/140-3 validated key exchange algorithms.

Add or modify the following line in the "/etc/ssh/sshd_config" file:

KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

Restart the SSH daemon for changes to take effect:

> sudo systemctl restart sshd.service

Item Details

Audit Name: DISA SUSE Linux Enterprise Micro SLEM 5 STIG v1r4

Category: ACCESS CONTROL

Plugin: Unix

Control ID: af470e06401090015c1797800123b92667dc3fd1b65a1b62458f3f08e162c25b

Detections

Analytics

SLEM-05-255055 - SLEM 5 SSH server must be configured to use only FIPS 140-2/140-3 validated key exchange algorithms.

Information

Solution

See Also

Item Details