← Rules Catalog
mediumaccess-controlverified rollback-safe

Ensure sshd KexAlgorithms is configured

ssh-approved-kex · RHEL ≥ 8 · 1 impl

Description

The sshd KexAlgorithms directive must specify only approved key exchange algorithms. Every configured algorithm is validated against a configurable allowlist of secure algorithms.

Rationale

Improper SSH KexAlgorithms configuration could weaken the security of remote access to the system. Weak or unapproved key exchange algorithms may be vulnerable to eavesdropping or man-in-the-middle attacks.

Check → Remediate

Checkcommand
approved="{{ ssh_approved_kex }}"
configured=$(sshd -T 2>/dev/null | grep -i '^kexalgorithms ' | awk '{print $2}')
if [ -z "$configured" ]; then echo "FAIL: kexalgorithms not configured"; exit 1; fi
bad=""
for alg in $(echo "$configured" | tr ',' ' '); do
  case ",$approved," in
    *",$alg,"*) ;;
    *) bad="$bad $alg" ;;
  esac
done
if [ -n "$bad" ]; then
  echo "FAIL: unapproved kex algorithm(s):$bad"
  exit 1
fi
echo "OK: all kex algorithms approved ($configured)"
expected_exit:
0
Remediateconfig_set_dropin
dir:
/etc/ssh/sshd_config.d
file:
00-kensa-kex.conf
key:
KexAlgorithms
value:
{{ ssh_approved_kex }}
restart:
sshd

Framework references

CIS

rhel9 5.1.5rhel10 5.1.12rhel8 5.1.14

NIST 800-53

AC-17SC-8

Live verification

rhel10:checkrhel8:checkrhel9:check
#ssh#sshd#access-control#cryptography