Title

Ubuntu OS SSH server must be configured to use only FIPS-validated key exchange algorithms. (Cat I impact)

Discussion

Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.

Check Content

Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms by using the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH 'kexalgorithms' /etc/ssh/sshd_config:KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 If "KexAlgorithms" does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, is commented out, is missing, or conflicting results are returned, this is a finding.

Fix Text

Configure the SSH server to use only FIPS-validated key exchange algorithms. Add or modify the following line in the "/etc/ssh/sshd_config" file: KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 Restart the SSH server for changes to take effect: $ sudo systemctl restart sshd.service

Additional Identifiers

Rule ID: SV-275626r1147928_rule

Vulnerability ID: V-275626

Group Title: SRG-OS-000033-GPOS-00014

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.