Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config
An XCCDF Rule
Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.
To check that Crypto Policies settings for ciphers are configured correctly, ensure that
/etc/crypto-policies/back-ends/openssh.config
contains the following
line and is not commented out:
Ciphers
warning alert: Warning
warning alert: Regulatory Warning
Rationale
Overriding the system crypto policy makes the behavior of the OpenSSH client violate expectations, and makes system configuration more fragmented. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.
- ID
- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
- Severity
- High
- References
- Updated
Remediation - Ansible
- name: XCCDF Value sshd_approved_ciphers # promote to variable
set_fact:
sshd_approved_ciphers: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_approved_ciphers" use="legacy"/>
tags:
- always
Remediation - Shell Script
sshd_approved_ciphers='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_approved_ciphers" use="legacy"/>'
if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then