apple_ssh_and_fips(7) | Miscellaneous Information Manual | apple_ssh_and_fips(7) |
apple_ssh_and_fips
—
Configuring SSH for FIPS algorithms
The macOS version of SSH uses Apple’s FIPS Cryptographic Modules for FIPS 140-2 validated algorithms, automatically without the need for installation, administration, or configuration. To restrict the SSH client and server to use only FIPS algorithms, customize the configuration of ssh(1) and sshd(8) as directed below.
The default configuration files for ssh(1) and sshd(8) read additional configuration directives from the /etc/ssh/ssh_config.d and /etc/ssh/sshd_config.d directories, respectively. Create a file in each of these directories that contain directives to limit the algorithms used.
For ssh(1), create /etc/ssh/ssh_config.d/fips_ssh_config with the following directives:
Host
Ciphers
HostbasedAcceptedAlgorithms
HostKeyAlgorithms
KexAlgorithms
MACs
PubkeyAcceptedAlgorithms
CASignatureAlgorithms
For sshd(8), create /etc/ssh/sshd_config.d/fips_sshd_config with the following directives:
Ciphers
HostbasedAcceptedAlgorithms
HostKeyAlgorithms
KexAlgorithms
MACs
PubkeyAcceptedAlgorithms
CASignatureAlgorithms
17 September, 2021 | Darwin |