{"description": "Limit the ciphers to strong algorithms.\nCounter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.\nThe following line in <tt>/etc/ssh/sshd_config</tt>\ndemonstrates use of those ciphers:\n<pre>Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr</pre>\nThe man page <tt>sshd_config(5)</tt> contains a list of supported ciphers.", "rationale": "Based on research conducted at various institutions, it was determined that the symmetric\nportion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses\nthat allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was\nencrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter\nmode algorithms (as described in RFC4344) were designed that are not vulnerable to these\ntypes of attacks and these algorithms are now recommended for standard use.", "severity": "medium", "references": {"cis": ["5.1.6"]}, "control_references": {"cis": ["5.1.6"]}, "components": [], "identifiers": {}, "ocil_clause": "ciphers are not configured or not using strong ciphers", "ocil": "Only strong ciphers should be used. To verify that only strong\nciphers are in use, run the following command:\n<pre>$ sudo grep Ciphers /etc/ssh/sshd_config</pre>\nThe output should contain only those ciphers which are considered strong, namely,\nchacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Use Only Strong Ciphers", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml", "template": null}