enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
Bernd Eckenfels
ecki at zusammenkunft.net
Sun Jan 28 06:18:53 AEDT 2024
BTW based on your output it looks like the DEFAULT policy is just fine,
If you really want to turn etm HMAC and chacha20 off, you should follow the RHEL security alert
https://access.redhat.com/security/cve/cve-2023-48795
cipher at SSH = -CHACHA20-POLY1305
ssh_etm = 0
by putting these lines into `/etc/crypto-policies/policies/modules/CVE-2023-48795.pmod`, applying the resulting subpolicy with `update-crypto-policies --set $(update-crypto-policies --show):CVE-2023-48795` and restarting openssh server.
However I would NOT do that (since those ciphers are the modern alternatives),
and instead update to openssh-server-8.0p1-15.el8_6.3.x86_64.rpm
(see https://access.redhat.com/errata/RHSA-2024:0429)
Gruss
Bernd
More information about the openssh-unix-dev
mailing list