Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
SLEM 5 SSH server must be configured to use only FIPS 140-2/140-3 validated key exchange algorithms.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-261336 | SLEM-05-255055 | SV-261336r996472_rule | High |
| Description |
|---|
| Without cryptographic integrity protections provided by FIPS 140-2/140-3 validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection. |
| STIG | Date |
|---|---|
| SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide | 2024-06-04 |
Details
| Check Text ( C-65065r996470_chk ) |
|---|
| Verify that the SSH server is configured to use only FIPS 140-2/140-3 validated key exchange algorithms with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*kexalgorithms' KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 If "KexAlgorithms" does not contain the list of algorithms in the exact order, is commented out, missing, or conflicting results are returned, this is a finding. |
| Fix Text (F-64973r996471_fix) |
|---|
| Configure the SSH server to use only FIPS 140-2/140-3 validated key exchange algorithms. Add or modify the following line in the "/etc/ssh/sshd_config" file: KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 Restart the SSH daemon for changes to take effect: > sudo systemctl restart sshd.service |