AlmaLinux OS 9 SSH server must be configured to use only FIPS 140-3 validated key exchange algorithms.
An XCCDF Rule
Description
Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. AlmaLinux OS 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.
- ID
- SV-269117r1049999_rule
- Version
- ALMA-09-003325
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Configure the AlmaLinux OS 9 SSH server to use only FIPS 140-3 approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following commands:
Note: Before enabling FIPS mode, ensure that the dracut-fips package is installed on the system.
Enable FIPS mode by updating the system's crypto policy with the following command:
$ sudo update-crypto-policies --set FIPS