← Rules Catalog
highaccess-controlverified rollback-safe

Configure SSH to use FIPS-approved ciphers

ssh-ciphers-fips · RHEL ≥ 8 · 1 impl

Description

The SSH daemon must be configured to use only FIPS 140-2 validated ciphers for session encryption.

Rationale

FIPS-approved ciphers have been validated for cryptographic strength. Using only approved ciphers ensures encrypted SSH sessions cannot be easily compromised.

Check → Remediate

Checkcommand
if ! command -v sshd >/dev/null 2>&1; then exit 0; fi
ciphers=$(sshd -T 2>/dev/null | awk '/^ciphers /{print $2}')
echo "$ciphers" | tr ',' '\n' | grep -qvE '^(aes128-ctr|aes192-ctr|aes256-ctr|aes128-gcm@openssh\.com|aes256-gcm@openssh\.com)$' && {
  echo "FAIL: non-FIPS cipher in effective config: $ciphers"
  exit 1
}
echo "OK: $ciphers"
expected_exit:
0
Remediateconfig_set_dropin
dir:
/etc/ssh/sshd_config.d
file:
00-kensa-fips-ciphers.conf
key:
Ciphers
value:
aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
restart:
sshd

Framework references

STIG

V-281011 / RHEL-10-300040V-257989 / RHEL-09-255065V-230252

NIST 800-53

SC-12SC-13

Live verification

rhel8:checkrhel9:check
#ssh#fips#ciphers#cryptography#stig