Versions Compared

Old Version 7

changes.mady.by.user Nick Romanzo

Saved on

compared with

New Version 8

changes.mady.by.user Nick Romanzo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

CIS Hardened Image

Product Version

All

Date

Use /date to insert current date

kept internal to be used as needed.

Problem

Info

I cannot SSH into my CIS Hardened Imaged after enabling FIPS.

A Member is required to enable FIPS(Federal Information Processing Standards) on their HI. After rebooting to finish enabling FIPS, the member was no longer able to SSH to their HI.

Solution

Me:

I did some digging and found an article that talks about SSH weirdness when FIPS mode is enabled. It explains why the SSH Key acts weird with FIPS and provides a workaround. Please let me know if it works for you and I will create documentation around this topic. - https://access.redhat.com/discussions/1518473#comment-938243

Device trying to SSH to FIPS enabled target must also have FIPS enable for SSH to be successfull.

Me:

I did some more digging as well, and I believe that you can use SSH with FIPS enabled as long as you are using FIPS-compliant keys/ciphers. However, there may be a Benchmark recommendation that is causing port 22 to become blocked.

I recommend you search through the relating benchmark for the recommendation that may be causing the issue - *insert link to build kit trouble article

I also found this documentation on enabling SSH with FIPS that you may find helpful.

https://docs.microsoft.com/en-us/cpp/linux/set-up-fips-compliant-secure-remote-linux-development?view=msvc-160

https://help.globalscape.com/help/eft7-4/mergedprojects/sftp/Enabling_FIPS_Mode_for_SSH_Connections.htm

Please let me know if you are able to get SSH working!

Solution

This is due to recommendation 5.3.15 Ensure only strong Key Exchange algorithms are used being enabled on the system. The hardened Image report can be found at /home/CIS_Hardened_Reports.

The remediation for this recommendation is located in /etc/ssh/sshd_config. Specifically the line:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Two of those algorithms are not FIPS compliant, those are curve25519-sha256 and curve25519-sha256@libssh.org so they should be removed from the KexAlgorithms list. Once that is done, SSH should be FIPS compliant and will not give any issues when connecting, successful on my end. If you are utilizing keys with those algorithms that are removed, you should generate new ones that are FIPS compliant and on that list to connect properly.


Keywords; FIPS

Content by Label

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel = "sbp_fer"

Copyright © 2020

Center for Internet Security®

Privacy Policy

Page Properties
hiddentrue

Action

Name(s)

Date

Linked ticket

https://cisecurity.atlassian.net/browse/

Jira Legacy
serverSystem JIRA
serverIdb90ca2a8-9df7-3869-89db-c424866c1b16
keySUPPORT-12691
https://cisecurity.atlassian.net/jira/servicedesk/projects/SUPPORT/queues/custom/135/SUPPORT-14142

Created by

Reviewed by

Approved by

Remove by