Tweak SSH rules for FIPS 186-5 addition of curve25519-sha256 #195

New Issue

Closed

opened 2026-01-19 18:29:36 +00:00 by michael · 5 comments

michael commented 2026-01-19 18:29:36 +00:00

Owner

Copy Link

Originally created by @GaryGapinski on GitHub.

Summary

FIPS 186-5 adds Ed25519 curve in §7. See also NIST SP 800-186.

Steps to reproduce

That curve was previously not an approved algorithm.

Operating System version

Any current or subsequent macOS version with old (older than FIPS 186-5) CMVP validation should exclude curve25519-sha256 in KexAlgorithms in /etc/ssh/sshd/config.

Any macOS version after FIPS 186-5 publication should probably† allow curve25519-sha256 in KexAlgorithms in /etc/ssh/sshd/config.

† Though the macOS version may not have been validated with that algorithm, so perhaps there is a need to wait for a novel validation.

Intel or Apple Silicon

CMVP module validations can be hardware-specific.

What is the current bug behavior?

Not tested.

What is the expected correct behavior?

curve25519-sha256 should be allowed in KexAlgorithmsin /etc/ssh/sshd/config.

Possible fixes

macOS CMVP validation-tracking versions for os_sshd_fips_compliant.yaml (e.g.).

Originally created by @GaryGapinski on GitHub. ### Summary [FIPS 186-5](https://csrc.nist.gov/publications/detail/fips/186/5/final) adds Ed25519 curve in §7. See also NIST [SP 800-186](https://csrc.nist.gov/publications/detail/sp/800-186/final). ### Steps to reproduce That curve was previously not an approved algorithm. ### Operating System version Any current or subsequent macOS version with old (older than FIPS 186-5) CMVP validation should exclude `curve25519-sha256` in `KexAlgorithms` in `/etc/ssh/sshd/config`. Any macOS version after FIPS 186-5 publication should probably† allow `curve25519-sha256` in `KexAlgorithms` in `/etc/ssh/sshd/config`. † Though the macOS version may not have been validated with that algorithm, so perhaps there is a need to wait for a novel validation. ### Intel or Apple Silicon [CMVP module validations](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&Vendor=Apple&CertificateStatus=Active&ValidationYear=0) can be hardware-specific. ### What is the current *bug* behavior? Not tested. ### What is the expected *correct* behavior? `curve25519-sha256 `should be allowed in `KexAlgorithms`in `/etc/ssh/sshd/config`. ### Possible fixes macOS CMVP validation-tracking versions for `os_sshd_fips_compliant.yaml` ([e.g.](https://github.com/usnistgov/macos_security/blob/10705d95975fedf195d73ca1f0200ecc1b5c6158/rules/os/os_sshd_fips_compliant.yaml#L12)).

michael closed this issue 2026-01-19 18:29:36 +00:00

michael commented 2026-01-19 18:29:36 +00:00

Author

Owner

Copy Link

@robertgendler commented on GitHub:

Closing for now. It's up to Apple to add it to it's approved algorithms in SSH.

@robertgendler commented on GitHub: Closing for now. It's up to Apple to add it to it's approved algorithms in SSH.

michael commented 2026-01-19 18:29:36 +00:00

Author

Owner

Copy Link

@GaryGapinski commented on GitHub:

Also, ditch all finite field Diffie-Hellman algorithms (diffie-hellman-*) since they are unnecessary and no one bothers to recompute /etc/ssh/moduli. Ignore any with an @.

@GaryGapinski commented on GitHub: Also, ditch all finite field Diffie-Hellman algorithms (`diffie-hellman-*`) since they are unnecessary and no one bothers to recompute `/etc/ssh/moduli`. Ignore any with an `@`.

michael commented 2026-01-19 18:29:36 +00:00

Author

Owner

Copy Link

@GaryGapinski commented on GitHub:

I agree. I think that means another CMVP validation (in which proper operation is tested). I am not in a position to test macOS FIPS mode but until FIPS 186-5 came out curve25519-sha256 should have been rejected. There are likely other algorithm changes but I haven't had time to closely read 186-5 (which is not an easy read; neither is SP 800-186). But it is usable despite being not previously allowed. Perhaps not in strict FIPS mode.

gapinski@flexion-mac-C02FCBVSMD6N macos_security % ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup761x25519-sha512@openssh.com
gapinski@flexion-mac-C02FCBVSMD6N macos_security %

@GaryGapinski commented on GitHub: I agree. I think that means another CMVP validation (in which proper operation is tested). I am not in a position to test macOS FIPS mode but until FIPS 186-5 came out curve25519-sha256 should have been rejected. There are likely other algorithm changes but I haven't had time to closely read 186-5 (which is not an easy read; neither is SP 800-186). But it is usable despite being not previously allowed. Perhaps not in strict FIPS mode. ``` gapinski@flexion-mac-C02FCBVSMD6N macos_security % ssh -Q kex diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256 curve25519-sha256@libssh.org sntrup761x25519-sha512@openssh.com gapinski@flexion-mac-C02FCBVSMD6N macos_security % ```

michael commented 2026-01-19 18:29:36 +00:00

Author

Owner

Copy Link

@robertgendler commented on GitHub:

@GaryGapinski I believe Apple is going to have to update their validated algorithms.

@robertgendler commented on GitHub: @GaryGapinski I believe Apple is going to have to update their validated algorithms.

michael commented 2026-01-19 18:29:36 +00:00

Author

Owner

Copy Link

@GaryGapinski commented on GitHub:

https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/1/web/1.0 has some interesting information.

@GaryGapinski commented on GitHub: https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/1/web/1.0 has some interesting information.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev_2.0_generate_mapping

dev_2.0

sequoia

sonoma

nist-pages

nist-pages-docs

ios_18

ios_26

ios_26_cmmc

dev_2.0_compliance_script

tahoe

visionos_26

dev_ios_26_stig

dev_visionOS_26_stig

dev_tahoe_adjustments

ios_17

dev_sequoia_bio

tahoe_578-typo-in-os_sshd_fips_compliantyaml-fix-code

ventura

ios_16

visionos_2

505-create-python-scp-library

monterey

big_sur

catalina

tahoe_rev2

sequoia_rev4

visionos26_rev2

ios26_rev2

tahoe_rev1

visionos26_rev1

ios26_rev1

sonoma_rev5

sequoia_rev3

ios18_rev3

ios17_rev4

ventura_rev6

sonoma_rev4

sequoia_rev2

visionos_rev2

ios18_rev2.0

ios16_rev4

sequoia_rev1.1

ventura_rev5.1

ios18_rev1.1

sonoma_rev3.1

sequoia_rev1

visionos_rev1

ios18_rev1

ios17_rev3

ios16_rev3

ventura_rev5

sonoma_rev3

ventura_rev4

sonoma_rev2

ios17_rev2

ios16_rev2

monterey_rev6

sonoma_rev1

ventura_rev3

monterey_rev5

ios16_rev1

ios17_rev1

big_sur_rev7

monterey_rev4

ventura_rev2

ventura_rev1.1

monterey_rev3.1

big_sur_rev6.1

ventura_rev1

monterey_rev3

big_sur_rev6

monterey_rev2

catalina_rev6

big_sur_rev5

monterey_rev1

big_sur_rev4

catalina_rev5

big_sur_rev3

catalina_rev4

big_sur_rev2

catalina_rev3

big_sur_rev1

catalina_rev2

catalina_rev1

v0.9

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#195