mediumaccess-controlverified ✓rollback-safe
Ensure sshd KexAlgorithms is configured
ssh-approved-kex · RHEL ≥ 8 · 1 impl
Description
The sshd KexAlgorithms directive must specify only approved key exchange algorithms. Every configured algorithm is validated against a configurable allowlist of secure algorithms.
Rationale
Improper SSH KexAlgorithms configuration could weaken the security of remote access to the system. Weak or unapproved key exchange algorithms may be vulnerable to eavesdropping or man-in-the-middle attacks.
Check → Remediate
Checkcommand
approved="{{ ssh_approved_kex }}"
configured=$(sshd -T 2>/dev/null | grep -i '^kexalgorithms ' | awk '{print $2}')
if [ -z "$configured" ]; then echo "FAIL: kexalgorithms not configured"; exit 1; fi
bad=""
for alg in $(echo "$configured" | tr ',' ' '); do
case ",$approved," in
*",$alg,"*) ;;
*) bad="$bad $alg" ;;
esac
done
if [ -n "$bad" ]; then
echo "FAIL: unapproved kex algorithm(s):$bad"
exit 1
fi
echo "OK: all kex algorithms approved ($configured)"
- expected_exit:
- 0
Remediateconfig_set_dropin
- dir:
- /etc/ssh/sshd_config.d
- file:
- 00-kensa-kex.conf
- key:
- KexAlgorithms
- value:
- {{ ssh_approved_kex }}
- restart:
- sshd
Framework references
CIS
rhel9 5.1.5rhel10 5.1.12rhel8 5.1.14
NIST 800-53
AC-17SC-8
Live verification
rhel10:checkrhel8:checkrhel9:check
#ssh#sshd#access-control#cryptography