UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The macOS system must implement approved ciphers to protect the confidentiality of SSH connections.


Overview

Finding ID Version Rule ID IA Controls Severity
V-257165 APPL-13-000054 SV-257165r905128_rule High
Description
Unapproved mechanisms for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, resulting in the compromise of DOD data. Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. The implementation of OpenSSH included with macOS does not use a FIPS 140-2 validated cryptographic module. While the listed ciphers are FIPS 140-2 approved algorithms, the module implementing them has not been validated. By specifying a cipher list with the order of ciphers being in a "strongest to weakest" orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
STIG Date
Apple macOS 13 (Ventura) Security Technical Implementation Guide 2023-04-12

Details

Check Text ( C-60850r905126_chk )
If SSH is not being used, this is not applicable.

Verify the macOS system is configured to use approved SSH ciphers with the following command:

/usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "^ciphers"

ciphers aes256-ctr,aes192-ctr,aes128-ctr

If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, or the "Ciphers" keyword is missing, this is a finding.
Fix Text (F-60791r905127_fix)
Configure the macOS system to use approved SSH ciphers with the following command:

/usr/bin/sudo /usr/bin/grep -q '^Ciphers' /etc/ssh/sshd_config && /usr/bin/sudo /usr/bin/sed -i.bak 's/^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config || /usr/bin/sudo /usr/bin/sed -i.bak '/.*Ciphers and keying.*/a\'$'\nCiphers aes256-ctr,aes192-ctr,aes128-ctr'$'\n' /etc/ssh/sshd_config

The SSH service must be restarted for changes to take effect.