Big Sur - Limit SSHD to FIPS 140 Validated Ciphers

Information

If SSHD is enabled then it _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 validated.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.

Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules.

NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.

Solution

[source,bash]
----
/usr/bin/grep -q '^Ciphers' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config || /bin/echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|AC-19e., 800-53|IA-7, 800-53|MA-4(6), 800-53|SC-8(1), 800-53|SC-13, CCE|CCE-85454-7, CCI|CCI-000068, CCI|CCI-000087, CCI|CCI-000803, CCI|CCI-002890, CCI|CCI-003123, STIG-ID|APPL-11-000054

Plugin: Unix

Control ID: a843346a1887400ee6ee4f42ffd7ab4952b3850af3f9cc8183c3f30fb97a8c6b