← Rules Catalog
mediumaccess-controlverified ✓✓rollback-safe

Configure the SSH client to use FIPS-approved ciphers (Ubuntu)

ssh-client-ciphers-fips-ubuntu · UBUNTU ≥ 22 · 1 impl

Description

The SSH client (/etc/ssh/ssh_config) must be configured to use only FIPS 140-3 approved ciphers.

Rationale

Restricting the SSH client to FIPS-approved ciphers prevents negotiation of a weaker algorithm when this host initiates an SSH connection.

Check → Remediate

Checkcommand
val=$(grep -iE '^[[:space:]]*Ciphers ' /etc/ssh/ssh_config 2>/dev/null | awk '{print $2}' | tail -1)
if [ -z "$val" ]; then
  echo "FAIL: Ciphers not set in /etc/ssh/ssh_config"
  exit 1
fi
if echo "$val" | tr ',' '\n' | grep -qvE '^(aes128-ctr|aes256-ctr|aes128-gcm@openssh\.com|aes256-gcm@openssh\.com)$'; then
  echo "FAIL: non-FIPS ciphers in ssh_config: $val"
  exit 1
fi
echo "OK: $val"
expected_exit:
0
Remediateconfig_set
path:
/etc/ssh/ssh_config
key:
Ciphers
value:
aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
separator:

Framework references

STIG

V-270670 / UBTU-24-100850

NIST 800-53

SC-8SC-13

Live verification

ubuntu24:checkubuntu24:full
#ssh#client#fips#ciphers