highaccess-controlverified ✓rollback-safe
Configure SSH key exchange algorithms for FIPS
ssh-kex-fips · RHEL ≥ 8 · 1 impl
Description
The SSH daemon must be configured to use only FIPS 140-2 validated key exchange algorithms.
Rationale
FIPS-approved key exchange algorithms ensure secure session key negotiation. Using only validated algorithms prevents key compromise during session establishment.
Check → Remediate
Checkcommand
grep -E '^KexAlgorithms' /etc/ssh/sshd_config | grep -qE 'ecdh-sha2|diffie-hellman-group-exchange-sha256'
- expected_exit:
- 0
Remediateconfig_set
- path:
- /etc/ssh/sshd_config
- key:
- KexAlgorithms
- value:
- ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
- reload:
- sshd
Framework references
STIG
V-258006 / RHEL-09-255150
NIST 800-53
SC-12SC-13
Live verification
rhel10:checkrhel8:checkrhel9:check
#ssh#fips#key-exchange#cryptography#stig