Product Name
CIS Hardened Image
Product Version
All
DateUse /date
to insert current date
Problem
Info |
---|
I cannot SSH after enabling FIPS |
A Member is required to enable FIPS(Federal Information Processing Standards) on their HI. After rebooting to finish enabling FIPS, the member was no longer able to SSH to their HI.
Solution
Me:
I did some digging and found an article that talks about SSH weirdness when FIPS mode is enabled. It explains why the SSH Key acts weird with FIPS and provides a workaround. Please let me know if it works for you and I will create documentation around this topic. - https://access.redhat.com/discussions/1518473#comment-938243
Member:
I’ve convert ssh key to FIPS compatible and tried to login to instance but got a same error.
After digging, found that port 22 is closed after enabling FIPS.
nmap 10.21.12.81.
Starting Nmap 6.40 (
http://nmap.org ) at 2021-06-02 06:28 UTC
Nmap scan report for ip-10-21-12-81.us-east-2.compute.internal (10.21.12.81)
Host is up (0.00052s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 6.04 seconds
Me:
I did some more digging as well, and I believe that you can use SSH with FIPS enabled as long as you are using FIPS-compliant keys/ciphers. However, there may be a Benchmark recommendation that is causing port 22 to become blocked.
I recommend you search through the relating benchmark for the recommendation that may be causing the issue - *insert link to build kit trouble article
I also found this documentation on enabling SSH with FIPS that you may find helpful.
Please let me know if you are able to get SSH working!into my CIS Hardened Imaged after enabling FIPS. |
Solution
This is due to recommendation Ensure only strong Key Exchange algorithms are used
being enabled on the system. The Hardened Image report can be found at /home/CIS_Hardened_Reports.
The remediation for this recommendation is located in /etc/ssh/sshd_config. Specifically the line:KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Two of those algorithms are not FIPS compliant, those are - curve25519-sha256 and curve25519-sha256@libssh.org - they need to be removed from the KexAlgorithms list located in /etc/ssh/sshd_config. Once that is done, SSH should be FIPS compliant and will not give any issues when connecting. If you are utilizing keys with those above two algorithms that are removed, you should generate new ones that are FIPS compliant and on the KexAlgorithms list to connect properly.
Keywords; FIPS
Content by Label
Filter by label (Content by label) | ||||||
---|---|---|---|---|---|---|
|
Page Properties | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||
|