mediumaccess-controlverified ✓
Ensure SSH uses system-wide crypto policy
ssh-crypto-policy · RHEL ≥ 8 · 1 impl
Description
The SSH daemon must not override the system-wide cryptographic policy. RHEL systems use update-crypto-policies to enforce consistent cryptographic standards across all services. Manual Ciphers, MACs, or KexAlgorithms directives in sshd_config bypass this centralized control.
Rationale
Overriding the system crypto policy in sshd_config can introduce weak algorithms that the system administrator has intentionally disabled. An attacker could exploit a manually configured weak cipher or MAC algorithm to decrypt or tamper with SSH traffic, defeating the protections that the system-wide crypto policy was designed to enforce.
Check → Remediate
Checkcommand
grep -Pi "^\s*(Ciphers|MACs|KexAlgorithms|GSSAPIKexAlgorithms|CRYPTO_POLICY)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf /etc/sysconfig/sshd 2>/dev/null | grep -v "^#"
- expected_exit:
- 1
Remediatecommand_exec
sed -i "/^\s*CRYPTO_POLICY/d" /etc/sysconfig/sshd 2>/dev/null; sed -i "/^\s*\(Ciphers\|MACs\|KexAlgorithms\|GSSAPIKexAlgorithms\)/d" /etc/ssh/sshd_config
- restart:
- sshd
Framework references
CIS
rhel8 5.1.1rhel9 1.6.2
STIG
V-281016 / RHEL-10-300090
NIST 800-53
SC-13AC-17(2)
Live verification
rhel10:checkrhel8:checkrhel9:check
#ssh#cryptography#crypto-policy