| apple_ssh_and_fips(7) | Miscellaneous Information Manual | apple_ssh_and_fips(7) |
apple_ssh_and_fips —
Configuring SSH for FIPS algorithms
The macOS version of SSH uses Apple’s FIPS Cryptographic Modules for FIPS 140-2 validated algorithms, automatically without the need for installation, administration, or configuration. To restrict the SSH client and server to use only FIPS algorithms, customize the configuration as directed below.
The configuration files for ssh(1) and sshd(8) read the algorithm configuration directives from /etc/ssh/crypto.conf, which should be a symbolic link to either the macOS default algorithm configuration file /etc/ssh/crypto/apple.conf, or to the FIPS-only configuration file /etc/ssh/crypto/fips.conf. To choose FIPS algorithms only, update the symbolic link as follows.
sudo ln -fs crypto/fips.conf /etc/ssh/crypto.conf
To return to the default set of algorithms which largely prefer FIPS algorithms but allow others as well:
sudo ln -fs crypto/apple.conf /etc/ssh/crypto.conf
| 17 September, 2021 | Darwin |