enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS

Bernd Eckenfels ecki at zusammenkunft.net
Sun Jan 28 06:18:53 AEDT 2024

BTW based on your output it looks like the DEFAULT policy is just fine, 
If you really want to turn etm HMAC and chacha20 off, you should follow the RHEL security alert

    cipher at SSH = -CHACHA20-POLY1305
    ssh_etm = 0
by putting these lines into `/etc/crypto-policies/policies/modules/CVE-2023-48795.pmod`, applying the resulting subpolicy with `update-crypto-policies --set $(update-crypto-policies --show):CVE-2023-48795` and restarting openssh server.

However I would NOT do that (since those ciphers are the modern alternatives),
and instead update to openssh-server-8.0p1-15.el8_6.3.x86_64.rpm
(see https://access.redhat.com/errata/RHSA-2024:0429)


More information about the openssh-unix-dev mailing list