Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-257167 | APPL-13-000056 | SV-257167r919271_rule | High |
| Description |
|---|
| Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS. For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips". Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00176 |
| STIG | Date |
|---|---|
| Apple macOS 13 (Ventura) Security Technical Implementation Guide | 2023-06-20 |
Details
| Check Text ( C-60852r919270_chk ) |
|---|
| Verify the macOS system is configured to use approved SSH Key Exchange Algorithms within the SSH server configuration with the following command: /usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "kexalgorithms" kexalgorithms ecdh-sha2-nistp256 If any algorithms other than "ecdh-sha2-nistp256" are listed, or the "kexalgorithms" keyword is missing, this is a finding. |
| Fix Text (F-60793r916576_fix) |
|---|
| Configure the macOS system to use approved SSH Key Exchange Algorithms by creating a plain text file in the /private/etc/ssh/sshd_config.d/ directory containing the following: KexAlgorithms ecdh-sha2-nistp256 The SSH service must be restarted for changes to take effect. |