UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258732 ESXI-80-000014 SV-258732r933257_rule High
Description
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. OpenSSH on the ESXi host ships with a FIPS 140-2 validated cryptographic module and it is enabled by default. For backward compatibility reasons, this can be disabled so this setting must be audited and corrected if necessary.
STIG Date
VMware vSphere 8.0 ESXi Security Technical Implementation Guide 2023-10-11

Details

Check Text ( C-62472r933255_chk )
From an ESXi shell, run the following command:

# esxcli system security fips140 ssh get

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$esxcli.system.security.fips140.ssh.get.invoke()

Expected result:

Enabled: true

If the FIPS mode is not enabled for SSH, this is a finding.
Fix Text (F-62381r933256_fix)
From an ESXi shell, run the following command:

# esxcli system security fips140 ssh set -e true

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.security.fips140.ssh.set.CreateArgs()
$arguments.enable = $true
$esxcli.system.security.fips140.ssh.set.Invoke($arguments)