AlmaLinux OS 9 SSH server must be configured to use only FIPS 140-3 validated key exchange algorithms.

STIG ID: ALMA-09-003325  |  SRG: SRG-OS-000250-GPOS-00093 |  Severity: medium |  CCI: CCI-001453 |  Vulnerability Id: V-269117

Vulnerability Discussion

Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.

AlmaLinux OS 9 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.

The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.

Check

Verify that the SSH server is configured to use only FIPS 140-3 validated key exchange algorithms:

First, ensure that FIPS mode is enabled with the following command:

$ cat /proc/sys/crypto/fips_enabled
1

If the command does not return a "1", then the systemwide crypto policy is not set to FIPS, and this is a finding.

$ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config

KexAlgorithms ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256

If the entries following "KexAlgorithms" have any algorithms defined other than "ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256", appear in different order than shown, or are missing or commented out, this is a finding.

Fix

Configure the AlmaLinux OS 9 SSH server to use only FIPS 140-3 approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following commands:

Note: Before enabling FIPS mode, ensure that the dracut-fips package is installed on the system.

Enable FIPS mode by updating the system's crypto policy with the following command:
$ sudo update-crypto-policies --set FIPS

Note: If FIPS mode has never been enabled on the system, additional steps will need to be conducted. Refer to vendor documentation.

To manually update the Key Exchange Algorithms in the systemwide SSH configuration, use the following command:

$ sudo sed -i -E '/^KexAlgorithms/s/.*/KexAlgorithms ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256/' "$(readlink -f /etc/crypto-policies/back-ends/opensshserver.config)"

Reboot the system for the changes to take effect.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.