ESXI-65-000010 - The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions.

Information

Approved algorithms should impart some level of confidence in their implementation. Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.

Note: This does not imply FIPS 140-2 validation.

Solution

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.

From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in '/etc/ssh/sshd_config':

Ciphers aes256-ctr,aes192-ctr,aes128-ctr

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-5_Y21M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13, CAT|II, CCI|CCI-000068, Rule-ID|SV-207611r766919_rule, STIG-ID|ESXI-65-000010, STIG-Legacy|SV-104053, STIG-Legacy|V-93967, Vuln-ID|V-207611

Plugin: Unix

Control ID: 6bc6d665748f3c9eee6f757388d854dbca3022ef12d6b52b5b8bf7f31d1b3d78