Title

The operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. (Cat II impact)

Discussion

DoD information systems are required to use FIPS 140-2 approved ciphers. SSHv2 ciphers meeting this requirement are 3DES and AES. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. Satisfies: SRG-OS-000033, SRG-OS-000505, SRG-OS-000555

Check Content

Check the SSH daemon configuration for allowed ciphers. # grep -i ciphers /etc/ssh/sshd_config | grep -v '^#' Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or is commented out, this is a finding.

Fix Text

Edit /etc/ssh/sshd_config and change or set the Ciphers line to the following. Ciphers aes256-ctr, aes192-ctr, aes128-ctr

Additional Identifiers

Rule ID: SV-226986r603852_rule

Vulnerability ID: V-226986

Group Title: SRG-OS-000033

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.