Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The man page sshd_config(5) contains a list of supported ciphers.
Only the following ciphers are FIPS 140-2 certified on Red Hat Enterprise Linux 7:
- aes128-ctr
- aes192-ctr
- aes256-ctr
- aes128-cbc
- aes192-cbc
- aes256-cbc
- 3des-cbc
- rijndael-cbc@lysator.liu.se
Any combination of the above ciphers will pass this check.
Official FIPS 140-2 paperwork for Red Hat Enterprise Linux 7 can be found at
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf
The rule is parametrized to use the following ciphers: