Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

CIS Hardened Image

Product Version

All

Date


Problem

Info

I cannot SSH into my CIS Hardened Imaged after enabling FIPS.

Solution

This is due to recommendation 5.3.15 Ensure only strong Key Exchange algorithms are used being enabled on the system. The hardened Hardened Image report can be found at /home/CIS_Hardened_Reports.

The remediation for this recommendation is located in /etc/ssh/sshd_config. Specifically the line:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Two of those algorithms are not FIPS compliant, those are - curve25519-sha256 and curve25519-sha256@libssh.org so - they should need to be removed from the KexAlgorithms list located in /etc/ssh/sshd_config. Once that is done, SSH should be FIPS compliant and will not give any issues when connecting, successful on my end. If you are utilizing keys with those above two algorithms that are removed, you should generate new ones that are FIPS compliant and on that the KexAlgorithms list to connect properly.

Keywords; FIPS

Content by Label

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel = "sbp_fer"

Copyright © 2020

Center for Internet Security®


Page Properties
hiddentrue

Action

Name(s)

Date

Linked ticket

Jira Legacy
serverSystem JIRA
serverIdb90ca2a8-9df7-3869-89db-c424866c1b16
keySUPPORT-12691
https://cisecurity.atlassian.net/jira/servicedesk/projects/SUPPORT/queues/custom/135/SUPPORT-14142 https://cisecurity.atlassian.net/jira/servicedesk/projects/SUPPORT/queues/custom/135/SUPPORT-20650

Created by

Nick Romanzo

Reviewed by

Approved by

Remove by