← Rules Catalog
mediumaccess-controlverified

Ensure system-wide crypto policy disables chacha20-poly1305 for ssh

ssh-crypto-policy-no-chacha20 · RHEL ≥ 8 · 1 impl

Description

The effective SSH daemon cipher list must not include chacha20-poly1305@openssh.com, which the site crypto policy is expected to disable.

Rationale

Removing chacha20-poly1305 from the SSH cipher set enforces the organization's approved cryptographic posture through the system-wide crypto policy rather than per-service overrides.

Check → Remediate

Checkcommand
if sshd -T 2>/dev/null | grep -i '^ciphers' | grep -q 'chacha20-poly1305'; then
  echo "FAIL: chacha20-poly1305 present in effective sshd ciphers"
  exit 1
fi
echo "OK: chacha20-poly1305 not offered"
expected_exit:
0
Remediatemanual
note:
Adjust the system-wide crypto policy (update-crypto-policies with a custom subpolicy) so the SSH cipher list excludes chacha20-poly1305@openssh.com, then restart sshd.

Framework references

CIS

rhel9 1.6.6rhel8 1.6.5

NIST 800-53

SC-13SC-8

Live verification

rhel9:check
#ssh#crypto-policy#ciphers