← Rules Catalog
mediumaccess-controlverified

Ensure SSH uses system-wide crypto policy

ssh-crypto-policy · RHEL ≥ 8 · 1 impl

Description

The SSH daemon must not override the system-wide cryptographic policy. RHEL systems use update-crypto-policies to enforce consistent cryptographic standards across all services. Manual Ciphers, MACs, or KexAlgorithms directives in sshd_config bypass this centralized control.

Rationale

Overriding the system crypto policy in sshd_config can introduce weak algorithms that the system administrator has intentionally disabled. An attacker could exploit a manually configured weak cipher or MAC algorithm to decrypt or tamper with SSH traffic, defeating the protections that the system-wide crypto policy was designed to enforce.

Check → Remediate

Checkcommand
grep -Pi "^\s*(Ciphers|MACs|KexAlgorithms|GSSAPIKexAlgorithms|CRYPTO_POLICY)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf /etc/sysconfig/sshd 2>/dev/null | grep -v "^#"
expected_exit:
1
Remediatecommand_exec
sed -i "/^\s*CRYPTO_POLICY/d" /etc/sysconfig/sshd 2>/dev/null; sed -i "/^\s*\(Ciphers\|MACs\|KexAlgorithms\|GSSAPIKexAlgorithms\)/d" /etc/ssh/sshd_config
restart:
sshd

Framework references

CIS

rhel8 5.1.1rhel9 1.6.2

STIG

V-281016 / RHEL-10-300090

NIST 800-53

SC-13AC-17(2)

Live verification

rhel10:checkrhel8:checkrhel9:check
#ssh#cryptography#crypto-policy