UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The OL 8 SSH server must be configured to use only ciphers employing FIPS 140-2 validated cryptographic algorithms.


Overview

Finding ID Version Rule ID IA Controls Severity
V-248562 OL08-00-010291 SV-248562r917905_rule Medium
Description
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised. Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection.
STIG Date
Oracle Linux 8 Security Technical Implementation Guide 2023-06-02

Details

Check Text ( C-51996r917903_chk )
Verify the OL 8 SSH server is configured to use only ciphers employing FIPS 140-2 approved algorithms with the following command:

$ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config

CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'

If the cipher entries in the "opensshserver.config" file have any ciphers other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.
Fix Text (F-51950r917904_fix)
Configure the OL 8 SSH server to use only ciphers employing FIPS 140-2 approved algorithms:

Update the "/etc/crypto-policies/back-ends/opensshserver.config" file to include these ciphers employing FIPS 140-2-approved algorithms:

CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'

A reboot is required for the changes to take effect.