Limiting ssh kex algorithms
I have an issue with limiting kex algorithms in RHEL 8 systems. (On CentOS 7 systems I could adjust KexAlgorithms without problem with in sshd_config)
I tryed to disable the non-ec kex algorithms on my test vm. I added new line to /etc/ssh/sshd_config and restart sshd:
$ sudo vi /etc/ssh/sshd_config ... KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
When I check the available kex algorithms with sshd -T, it seems to be OK.
$ sudo sshd -T | grep kex gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
But if I check these algoritms with nmap it tells that diffie-hellman-group* algorithms are available.
$ nmap --script ssh2-enum-algos -sV -p 22 localhost Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-02 09:14 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00026s latency). Other addresses for localhost (not scanned): ::1 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.0 (protocol 2.0) | ssh2-enum-algos: | kex_algorithms: (11) | curve25519-sha256 | curve25519-sha256@libssh.org | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group14-sha256 | diffie-hellman-group16-sha512 | diffie-hellman-group18-sha512 | diffie-hellman-group-exchange-sha1 | diffie-hellman-group14-sha1 ...
Moreover SSH can connect to my test vm by forcing diffie-hellman-group14-sha1 kex.
$ ssh -v -oKexAlgorithms=diffie-hellman-group14-sha1 myserver ... debug1: kex: algorithm: diffie-hellman-group14-sha1 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 ...
How can I correctly disable non-ec kex algorithms in RHEL 8?
Thanks!
Responses