The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22458	GEN005505	SV-35216r1_rule	DCNR-1	Medium

Description
DoD information systems are required to use FIPS 140-2 approved ciphers. SSHv2 ciphers meeting this requirement are 3DES and AES.

STIG	Date
HP-UX 11.31 Security Technical Implementation Guide	2016-12-20

Details

Check Text ( C-36633r1_chk )
Check the SSH daemon configuration for allowed ciphers. Note that keywords are case-insensitive and arguments (args) are case-sensitive. keyword=Ciphers arg(s)= Default values include: "aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour,arcfour128,arcfour256blowfish-cbc,cast128-cbc". For this check, all keyword values ending with the suffix "-cbc" are disallowed, IE: 3des-cbc. As the vendor does not currently support 3des-ctr, the only current allowed keyword values begin with the prefix "aes" and terminate with the suffix "-ctr". Note: When the default "arg" value exactly matches the required "arg" value (see above), the entry is not required to exist (commented or uncommented) in the ssh (client) or sshd (server) configuration file. While not required, it is recommended that the configuration file(s) be populated with all keywords and assigned arg values as a means to explicitly document the ssh(d) binary's expected behavior. Examine the file. # cat /opt/ssh/etc/sshd_config \| tr '\011' ' ' \| tr -s ' ' \| sed -e 's/^[ \t]*//' \| grep -v '^#' \| egrep -i "ciphers" All ciphers present in the returned ciphers line entry must be prefixed by 3des or aes and end with the suffix "-ctr" or this is a finding.

Check Text ( C-36633r1_chk )

Check the SSH daemon configuration for allowed ciphers. Note that keywords are case-insensitive and arguments (args) are case-sensitive.

keyword=Ciphers
arg(s)=

Default values include: "aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour,arcfour128,arcfour256blowfish-cbc,cast128-cbc".

For this check, all keyword values ending with the suffix "-cbc" are disallowed, IE: 3des-cbc. As the vendor does not currently support 3des-ctr, the only current allowed keyword values begin with the prefix "aes" and terminate with the suffix "-ctr".

Note: When the default "arg" value exactly matches the required "arg" value (see above), the entry is not required to exist (commented or uncommented) in the ssh (client) or sshd (server) configuration file. While not required, it is recommended that the configuration file(s) be populated with all keywords and assigned arg values as a means to explicitly document the ssh(d) binary's expected behavior.

Examine the file.
# cat /opt/ssh/etc/sshd_config | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | egrep -i "ciphers"

All ciphers present in the returned ciphers line entry must be prefixed by 3des or aes and end with the suffix "-ctr" or this is a finding.

Fix Text (F-32003r1_fix)
Edit the configuration file and remove any ciphers that do not meet the following: 3des-ctr or aes-NNN-ctr (NNN=128, 192 or 256). If necessary, add the Ciphers entry with one or more of the above keyword values.