The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.

An XCCDF Rule

Description

<VulnDiscussion>Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS. For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips". Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-257773r922864_rule
Severity: High
References: CCI-000068 CCI-000803 CCI-000877 CCI-001453 CCI-002890 CCI-003123
Updated: 8 months ago

Configure the macOS system to use approved SSH ciphers by creating a plain text file in the /private/etc/ssh/ssh_config.d/ directory containing the following:

Ciphers aes128-gcm@openssh.com

The SSH service must be restarted for changes to take effect.

The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.

Description

Remediation - Manual Procedure