Limiting ssh kex algorithms

Latest response

I have an issue with limiting kex algorithms in RHEL 8 systems. (On CentOS 7 systems I could adjust KexAlgorithms without problem with in sshd_config)
I tryed to disable the non-ec kex algorithms on my test vm. I added new line to /etc/ssh/sshd_config and restart sshd:

$ sudo vi /etc/ssh/sshd_config
KexAlgorithms curve25519-sha256,,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

When I check the available kex algorithms with sshd -T, it seems to be OK.

$ sudo sshd -T | grep kex
gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
kexalgorithms curve25519-sha256,,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

But if I check these algoritms with nmap it tells that diffie-hellman-group* algorithms are available.

$ nmap --script ssh2-enum-algos -sV -p 22 localhost
Starting Nmap 7.70 ( ) at 2023-03-02 09:14 CET
Nmap scan report for localhost (
Host is up (0.00026s latency).
Other addresses for localhost (not scanned): ::1

22/tcp open  ssh     OpenSSH 8.0 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (11)
|       curve25519-sha256
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group14-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha1

Moreover SSH can connect to my test vm by forcing diffie-hellman-group14-sha1 kex.

$ ssh -v -oKexAlgorithms=diffie-hellman-group14-sha1 myserver
debug1: kex: algorithm: diffie-hellman-group14-sha1
debug1: kex: host key algorithm: ecdsa-sha2-nistp256

How can I correctly disable non-ec kex algorithms in RHEL 8?



Did you have a look at this documentation.
Can you use update-crypto-policies to restrict this?

Thank you very much, after I set FUTURE mode only 3 DH algorithms supported: | diffie-hellman-group-exchange-sha256 | diffie-hellman-group16-sha512 | diffie-hellman-group18-sha512 I think it is reasonable on audit.