Details
Unapproved mechanisms for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity, resulting in the compromise of DoD data.
Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
The implementation of OpenSSH that is included with macOS does not utilize a FIPS 140-2 validated cryptographic module. While the listed ciphers are FIPS 140-2 approved algorithms, the module implementing them has not been validated.
By specifying a cipher list with the order of ciphers being in a ‘strongest to weakest’ orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.
Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
Solution
Configure SSH to use secure cryptographic algorithms.
To ensure that ‘Ciphers’ set correctly, run the following command:
/usr/bin/sudo /usr/bin/grep -q ‘^Ciphers’ /etc/ssh/sshd_config && /usr/bin/sudo /usr/bin/sed -i.bak ‘s/^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/’ /etc/ssh/sshd_config || /usr/bin/sudo /usr/bin/sed -i.bak ‘/.*Ciphers and keying.*/a’$’
”Ciphers aes256-ctr,aes192-ctr,aes128-ctr’$’
‘ /etc/ssh/sshd_config
The SSH service must be restarted for changes to take effect.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Identification and Authentication, Maintenance.This control applies to the following type of system Unix.
References
- 800-53|AC-17(2)
- 800-53|IA-7
- 800-53|MA-4(6)
- 800-53|MA-4c.
- CAT|II
- CCI|CCI-000068
- CCI|CCI-000803
- CCI|CCI-000877
- CCI|CCI-002890
- CCI|CCI-003123
- Rule-ID|SV-233776r610901_rule
- STIG-ID|AOSX-15-000054
- Vuln-ID|V-233776