UBTU-20-010045 - The Ubuntu operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.

The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values 'strongest to weakest' is a method to ensure the use of the strongest algorithm available to secure the SSH connection.

Solution

Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in '/etc/ssh/sshd_config':

KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

Restart the 'sshd' service for changes to take effect:

$ sudo systemctl restart sshd

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_20-04_LTS_V1R9_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000068, Rule-ID|SV-255912r880905_rule, STIG-ID|UBTU-20-010045, Vuln-ID|V-255912

Plugin: Unix

Control ID: 746ac37f6cdb1566a27c5f3bacd4f41f04ee3c2e6326e39b84d9c3408fc86aa5