1.6.2 Ensure system wide crypto policy is not set in sshd configuration

Information

System-wide Crypto policy can be over-ridden or opted out of for openSSH

Over-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgorithms and GSSAPIKexAlgorithm

Note: If changes to the system-wide crypto policy are required to meet local site policy for the openSSH server, these changes should be done with a sub-policy assigned to the system-wide crypto policy. For additional information see the CRYPTO-POLICIES(7) man page

Solution

Run the following commands:

# sed -ri "s/^s*(CRYPTO_POLICYs*=.*)$/# 1/" /etc/sysconfig/sshd

# systemctl reload sshd

See Also

https://workbench.cisecurity.org/benchmarks/18208

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: bba43eb5a113608ee4ba7ac840037dbdd4c4fad5500f6d993109d388a7ae013d