Vulnerability Discussion

If SSHD is enabled then it must be configured to limit the Ciphers,
HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms,
CASignatureAlgorithms to algorithms that are FIPS 140 validated.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
utilize authentication that meet federal requirements.

Operating systems utilizing encryption must use FIPS validated mechanisms for authenticating to
cryptographic modules.

Note: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual
page apple_ssh_and_fips has additional information.

Satisfies:
SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174,SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223

Check

Verify the macOS system is configured to limit SSHD to FIPS-compliant connections with
the following command:

fips_sshd_config=("Ciphers [email protected]" "HostbasedAcceptedAlgorithms
ecdsa-sha2-nistp256,[email protected]" "HostKeyAlgorithms
ecdsa-sha2-nistp256,[email protected]" "KexAlgorithms ecdh-sha2-nistp256"
"MACs hmac-sha2-256" "PubkeyAcceptedAlgorithms
ecdsa-sha2-nistp256,[email protected]" "CASignatureAlgorithms
ecdsa-sha2-nistp256")
total=0
for config in $fips_sshd_config; do
total=$(expr $(/usr/sbin/sshd -G | /usr/bin/grep -i -c "$config") + $total)
done

echo $total

If the result is not "7", this is a finding.

Fix

Configure the macOS system to limit SSHD to FIPS-compliant connections
with the following command:

fips_sshd_config="Ciphers [email protected]
HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected]
HostKeyAlgorithms ecdsa-sha2-nistp256,[email protected]
KexAlgorithms ecdh-sha2-nistp256
MACs hmac-sha2-256
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected]
CASignatureAlgorithms ecdsa-sha2-nistp256"
/bin/echo "${fips_sshd_config}" > /etc/ssh/sshd_config.d/fips_sshd_config