Details
Approved algorithms should impart some level of confidence in their implementation. Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
Note: This does not imply FIPS 140-2 validation.
Solution
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in ‘/etc/ssh/sshd_config’:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.
References
- 800-53|AC-17(2)
- CAT|II
- CCI|CCI-000068
- Rule-ID|SV-207611r766919_rule
- STIG-ID|ESXI-65-000010
- STIG-Legacy|SV-104053
- STIG-Legacy|V-93967
- Vuln-ID|V-207611