mediumaccess-controlverified ✓
Ensure system-wide crypto policy disables chacha20-poly1305 for ssh
ssh-crypto-policy-no-chacha20 · RHEL ≥ 8 · 1 impl
Description
The effective SSH daemon cipher list must not include chacha20-poly1305@openssh.com, which the site crypto policy is expected to disable.
Rationale
Removing chacha20-poly1305 from the SSH cipher set enforces the organization's approved cryptographic posture through the system-wide crypto policy rather than per-service overrides.
Check → Remediate
Checkcommand
if sshd -T 2>/dev/null | grep -i '^ciphers' | grep -q 'chacha20-poly1305'; then echo "FAIL: chacha20-poly1305 present in effective sshd ciphers" exit 1 fi echo "OK: chacha20-poly1305 not offered"
- expected_exit:
- 0
Remediatemanual
- note:
- Adjust the system-wide crypto policy (update-crypto-policies with a custom subpolicy) so the SSH cipher list excludes chacha20-poly1305@openssh.com, then restart sshd.
Framework references
CIS
rhel9 1.6.6rhel8 1.6.5
NIST 800-53
SC-13SC-8
Live verification
rhel9:check
#ssh#crypto-policy#ciphers