UCF STIG Viewer Logo

The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.


Finding ID Version Rule ID IA Controls Severity
V-218004 RHEL-06-000243 SV-218004r505923_rule Medium
Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2020-09-03


Check Text ( C-19485r377027_chk )
Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command:

# grep -i Ciphers /etc/ssh/sshd_config

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

If any ciphers listed are not FIPS-approved, this is a finding.
Fix Text (F-19483r377028_fix)
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in "/etc/ssh/sshd_config" demonstrates use of FIPS-approved ciphers:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

Note: The man page "sshd_config(5)" contains a list of supported ciphers.