Monterey - Limit SSH to FIPS Compliant Connections

Information

SSH _MUST_ be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 validated.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.

Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules.

NOTE: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information.

Solution

[source,bash]
----
fips_ssh_config="Host *
Ciphers [email protected]
HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected]
HostKeyAlgorithms ecdsa-sha2-nistp256,[email protected]
KexAlgorithms ecdh-sha2-nistp256
MACs hmac-sha2-256
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected]
CASignatureAlgorithms ecdsa-sha2-nistp256"
/bin/echo "${fips_ssh_config}" > /etc/ssh/ssh_config.d/fips_ssh_config
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|AC-19e., 800-53|IA-7, 800-53|MA-4(6), 800-53|SC-8(1), 800-53|SC-13, CCE|CCE-91003-4, CCI|CCI-000068, CCI|CCI-000087, CCI|CCI-000803, CCI|CCI-002890, CCI|CCI-003123

Plugin: Unix

Control ID: 69ba05e8a3fbd59e8c7f9836b13d6bd637c0cf67917c7c9e4be483c9360c9b18