UCF STIG Viewer Logo

The SUSE operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.


Finding ID Version Rule ID IA Controls Severity
V-255920 SLES-15-040450 SV-255920r880961_rule Medium
Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.
SUSE Linux Enterprise Server 15 Security Technical Implementation Guide 2022-12-07


Check Text ( C-59597r880959_chk )
Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms:

$ sudo grep -i kexalgorithms /etc/ssh/sshd_config
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.
Fix Text (F-59540r880960_fix)
Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in "/etc/ssh/sshd_config":

KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

Restart the "sshd" service for changes to take effect:

$ sudo systemctl restart sshd