Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Product Name

CIS Hardened Image

Product Version

All

Date

Problem

I cannot SSH into my CIS Hardened Imaged after enabling FIPS.

Solution

This is due to recommendation 5.3.15 Ensure only strong Key Exchange algorithms are used being enabled on the system. The Hardened Image report can be found at /home/CIS_Hardened_Reports.

The remediation for this recommendation is located in /etc/ssh/sshd_config. Specifically the line:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Two of those algorithms are not FIPS compliant, those are curve25519-sha256 and curve25519-sha256@libssh.org so they should be removed from the KexAlgorithms list. Once that is done, SSH should be FIPS compliant and will not give any issues when connecting, successful on my end. If you are utilizing keys with those algorithms that are removed, you should generate new ones that are FIPS compliant and on that list to connect properly.


Keywords; FIPS

Content by Label

Copyright © 2020

Center for Internet Security®

Privacy Policy

  • No labels