How to Disable AES128 Ciphers in SSH Daemon on ESXi 8.0 U3 to Enforce FIPS-Compliant Cipher Suites
Article ID: 401837
Updated On:
Products
Issue/Introduction
In environments requiring strict compliance with FIPS 140-2 or 140-3 standards, organizations may need to restrict the use of certain cryptographic algorithms, such as AES128, in SSH services.
This article provides guidance on how to disable AES128 ciphers ([email protected] and aes128-ctr) for the SSH daemon on ESXi 8.0 U3 (Build 24585383).
Environment
VMware ESXi 8.0 U3x
Cause
The default SSH daemon cipher configuration includes AES128-based ciphers (e.g., [email protected], aes128-ctr), which may not meet certain security compliance requirements. Hence, Customers may need to enforce stricter cipher sets.
Resolution
Step 1: Verify current cipher configuration
esxcli system ssh server config list | grep -i ciphers
Step 2: Confirm FIPS mode is enabled
esxcli system security fips140 ssh get
Expected output:
Enabled: true
Step 3: Update cipher list to remove AES128 ciphers
Execute the following command to set only AES256 and AES192 ciphers:
esxcli system ssh server config set --keyword ciphers --value [email protected],aes256-ctr,aes192-ctr
Step 4: Restart the SSH service
/etc/init.d/SSH restart
Step 5: Confirm the updated cipher list
esxcli system ssh server config list | grep -i ciphers
Important Notes:
Ensure any SSH clients used to connect to the host support the remaining ciphers.
Changes persist across reboots.
Feedback
