← Rules Catalog
highaccess-controlverified rollback-safe

Configure SSH key exchange algorithms for FIPS

ssh-kex-fips · RHEL ≥ 8 · 1 impl

Description

The SSH daemon must be configured to use only FIPS 140-2 validated key exchange algorithms.

Rationale

FIPS-approved key exchange algorithms ensure secure session key negotiation. Using only validated algorithms prevents key compromise during session establishment.

Check → Remediate

Checkcommand
grep -E '^KexAlgorithms' /etc/ssh/sshd_config | grep -qE 'ecdh-sha2|diffie-hellman-group-exchange-sha256'
expected_exit:
0
Remediateconfig_set
path:
/etc/ssh/sshd_config
key:
KexAlgorithms
value:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
reload:
sshd

Framework references

STIG

V-258006 / RHEL-09-255150

NIST 800-53

SC-12SC-13

Live verification

rhel10:checkrhel8:checkrhel9:check
#ssh#fips#key-exchange#cryptography#stig