Details
Unapproved mechanisms for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity, resulting in the compromise of DoD data.
Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
The implementation of OpenSSH that is included with macOS does not utilize a FIPS 140-2 validated cryptographic module. While the listed Key Exchange Algorithms are FIPS 140-2 approved, the module implementing them has not been validated.
By specifying a Key Exchange Algorithm list with the order of hashes being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest Key Exchange Algorithm for securing SSH connections.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Solution
Run the following bash code
/usr/bin/grep -q '^KexAlgorithms' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.*KexAlgorithms.*/KexAlgorithms diffie-hellman-group-exchange-sha256/' /etc/ssh/sshd_config || /bin/echo 'KexAlgorithms diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
----
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Identification and Authentication, Maintenance.This control applies to the following type of system Unix.
References
- 800-53|AC-17(2)
- 800-53|AC-19e.
- 800-53|IA-7
- 800-53|MA-4(6)
- CCE|CCE-91011-7, CCI|CCI-000068
- CCI|CCI-000087
- CCI|CCI-000803
- CCI|CCI-002890
- CCI|CCI-003123