| apple_ssh_and_fips(7) | Miscellaneous Information Manual | apple_ssh_and_fips(7) |
apple_ssh_and_fips —
Configuring SSH for FIPS algorithms
The macOS version of SSH uses Apple’s FIPS Cryptographic Modules for FIPS 140-2 validated algorithms, automatically without the need for installation, administration, or configuration. To restrict the SSH client and server to use only FIPS algorithms, customize the configuration of ssh(1) and sshd(8) as directed below.
The default configuration files for ssh(1) and sshd(8) read additional configuration directives from the /etc/ssh/ssh_config.d and /etc/ssh/sshd_config.d directories, respectively. Create a file in each of these directories that contain directives to limit the algorithms used.
For ssh(1), create /etc/ssh/ssh_config.d/fips_ssh_config with the following directives:
HostCiphersHostbasedAcceptedAlgorithmsHostKeyAlgorithmsKexAlgorithmsMACsPubkeyAcceptedAlgorithmsCASignatureAlgorithmsFor sshd(8), create /etc/ssh/sshd_config.d/fips_sshd_config with the following directives:
CiphersHostbasedAcceptedAlgorithmsHostKeyAlgorithmsKexAlgorithmsMACsPubkeyAcceptedAlgorithmsCASignatureAlgorithms| 17 September, 2021 | Darwin |