Product Name
CIS Hardened Image
Product Version
All
Date
Problem
I cannot SSH into my CIS Hardened Imaged after enabling FIPS.
Solution
This is due to recommendation 5.3.15 Ensure only strong Key Exchange algorithms are used
being enabled on the system. The Hardened Image report can be found at /home/CIS_Hardened_Reports.
The remediation for this recommendation is located in /etc/ssh/sshd_config. Specifically the line:KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Two of those algorithms are not FIPS compliant, those are - curve25519-sha256 and curve25519-sha256@libssh.org - they need to be removed from the KexAlgorithms list located in /etc/ssh/sshd_config. Once that is done, SSH should be FIPS compliant and will not give any issues when connecting. If you are utilizing keys with those above two algorithms that are removed, you should generate new ones that are FIPS compliant and on the KexAlgorithms list to connect properly.
Add Comment