Having issues with security hardening

jdtomzak · November 1, 2023, 5:01pm

Can anyone tell me how to disable these for SSH?
curve25519-sha256
diffie-hellman-group-exchange-sha1
diffie-hellman-group14-sha1

I’ve had some success with modifying the system-wide cryptographic policies for other hardening efforts but these just wont go. Also, tried modifying the SSH config files, no luck there either…

Thanks,

nazunalika · November 1, 2023, 7:11pm

The only way to change the policy is to either: A) make your own or edit a default one or B) disable system wide cryptography settings for openssh and then you can set the algorithms yourself; this is done by modifying /etc/sysconfig/sshd.

As an aside, in my opinion it does not make sense to disable curve25519-sha256 as it is part of default, future, and legacy crypto profiles.

jlehtone · November 1, 2023, 7:28pm

In el9 the /etc/ssh/sshd_config starts with Include /etc/ssh/sshd_config.d/*.conf
which mostly means /etc/ssh/sshd_config.d/50-redhat*.conf that in turn
includes the system-wide cryptographic policy for sshd.

If one can’t modify the system-wide cryptographic policy enough, then
one can add a file, like /etc/ssh/sshd_config.d/00-jdtomzak.conf and in it set
desired sshd options. (00-* is before 50-* and sshd uses first occurrences.)

In el8 … does it still take policy from environment variable that is set in /etc/sysconfig/sshd?

nazunalika · November 1, 2023, 7:39pm

The post is clearly tagged with Rocky Linux 8, not 9, thus the suggestion for /etc/sysconfig/sshd.

jlehtone · November 1, 2023, 7:41pm

My bad. I should learn to read tags.

jdtomzak · November 1, 2023, 8:00pm

Hi,

Thanks for responding.
I have made a sub policy for other hardening efforts. It worked to get rid of vulnerable ciphers anyway…
But I havent been able to find a guide to removing other items, like these KEX parts for instance. The closest thing I found let to a cut off page - requires Redhat support to read the good bits. We are considering opting SSH out but I hope not. I’m sure at some point these efforts will go beyond just solving for SSH. So, I’d like a more comprehensive solution if possible.

jdtomzak · November 1, 2023, 8:01pm

Yes, EL8 has that as well. Its what ties that conf to the system-wide policy.
Thanks

system · December 31, 2023, 8:02pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.