Can anyone tell me how to disable these for SSH?
curve25519-sha256
diffie-hellman-group-exchange-sha1
diffie-hellman-group14-sha1
I’ve had some success with modifying the system-wide cryptographic policies for other hardening efforts but these just wont go. Also, tried modifying the SSH config files, no luck there either…
Thanks,
The only way to change the policy is to either: A) make your own or edit a default one or B) disable system wide cryptography settings for openssh and then you can set the algorithms yourself; this is done by modifying /etc/sysconfig/sshd.
As an aside, in my opinion it does not make sense to disable curve25519-sha256 as it is part of default, future, and legacy crypto profiles.
In el9 the /etc/ssh/sshd_config starts with Include /etc/ssh/sshd_config.d/*.conf
which mostly means /etc/ssh/sshd_config.d/50-redhat*.conf that in turn
includes the system-wide cryptographic policy for sshd.
If one can’t modify the system-wide cryptographic policy enough, then
one can add a file, like /etc/ssh/sshd_config.d/00-jdtomzak.conf and in it set
desired sshd options. (00-* is before 50-* and sshd uses first occurrences.)
In el8 … does it still take policy from environment variable that is set in /etc/sysconfig/sshd?
The post is clearly tagged with Rocky Linux 8, not 9, thus the suggestion for /etc/sysconfig/sshd.
My bad. I should learn to read tags.
Hi,
Thanks for responding.
I have made a sub policy for other hardening efforts. It worked to get rid of vulnerable ciphers anyway…
But I havent been able to find a guide to removing other items, like these KEX parts for instance. The closest thing I found let to a cut off page - requires Redhat support to read the good bits. We are considering opting SSH out but I hope not. I’m sure at some point these efforts will go beyond just solving for SSH. So, I’d like a more comprehensive solution if possible.
Yes, EL8 has that as well. Its what ties that conf to the system-wide policy.
Thanks