APPL-15-000054 - The macOS system must limit SSHD to FIPS-compliant connections.

Information

If SSHD is enabled, it must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS-140 validated.

FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets federal requirements.

Operating systems using encryption must use FIPS-validated mechanisms for authenticating to cryptographic modules.

NOTE: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual page apple_ssh_and_fips has additional information.

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000396-GPOS-00176, SRG-OS-000424-GPOS-00188, SRG-OS-000478-GPOS-00223

Solution

Configure the macOS system to limit SSHD to FIPS-compliant connections with the following command:

/bin/ln -fs /etc/ssh/crypto/fips.conf /etc/ssh/crypto.conf

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_15_V1R1_STIG.zip

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-7, 800-53|MA-4(6), 800-53|SC-8(1), 800-53|SC-13, CAT|I, CCI|CCI-000068, CCI|CCI-000803, CCI|CCI-001453, CCI|CCI-002421, CCI|CCI-002450, CCI|CCI-002890, CCI|CCI-003123, Rule-ID|SV-268438r1034254_rule, STIG-ID|APPL-15-000054, Vuln-ID|V-268438

Plugin: Unix

Control ID: a0a26817e5fa495be28405d9c0c5ddd5ea201c9ec23a1f31d66dd26a61d2d5c4