UCF STIG Viewer Logo

The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22458 GEN005505 SV-41035r1_rule DCNR-1 Medium
Description
DoD information systems are required to use FIPS 140-2 approved ciphers. SSHv2 ciphers meeting this requirement are 3DES and AES.
STIG Date
SOLARIS 9 X86 SECURITY TECHNICAL IMPLEMENTATION GUIDE 2015-10-01

Details

Check Text ( C-27760r1_chk )
Check the SSH daemon configuration for allowed ciphers.
# grep -i ciphers /etc/ssh/sshd_config | grep -v '^#'
If no lines are returned, or the returned ciphers list contains any cipher not starting with 3des or aes, this is a finding.
Fix Text (F-34800r1_fix)
Edit /etc/ssh/sshd_config and change or set the Ciphers line to the following.

Ciphers aes128-ctr, aes192-ctr, aes256-ctr