OL08-00-040342 - OL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.

Information

Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.

OL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.

The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values 'strongest to weakest' is a method to ensure the use of the strongest algorithm available to secure the SSH connection.

Solution

Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in '/etc/crypto-policies/back-ends/opensshserver.config':

-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

A reboot is required for the changes to take effect.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_8_V2R2_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(2), CAT|II, CCI|CCI-001453, Rule-ID|SV-255898r991554_rule, STIG-ID|OL08-00-040342, Vuln-ID|V-255898

Plugin: Unix

Control ID: 1cbab4ed940dbfebf43fb7f7dbe90f74430014ff860b5f9f26aab38ab0129514