ESXI-67-000010 - The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions.

Information

Approved algorithms should impart some level of confidence in their implementation. Limit the ciphers to algorithms that are FIPS approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.

Solution

Limit the ciphers to FIPS-approved algorithms.

From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in '/etc/ssh/sshd_config':

FipsMode yes

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.security.fips140.ssh.set.CreateArgs()
$arguments.enable = $true
$esxcli.system.security.fips140.ssh.set.Invoke($arguments)

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y22M04_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(2), CAT|II, CCI|CCI-000068, Rule-ID|SV-239267r674730_rule, STIG-ID|ESXI-67-000010, Vuln-ID|V-239267

Plugin: Unix

Control ID: 0f02e948d80c76109bddb3c0198c88be7b19bc879bea95c729edfa5c50330925