Profile Applicability:
• Level 1
Description:
The KexAlgorithms option in the SSH daemon (sshd) configuration specifies the key exchange algorithms used during SSH session setup. Configuring strong and secure key exchange algorithms helps protect against cryptographic attacks and ensures the confidentiality and integrity of SSH sessions.
Rationale:
Using secure key exchange algorithms mitigates risks associated with weak or deprecated algorithms, enhancing the security of encrypted SSH communications.
Impact:
Pros:
Strengthens SSH session security.
Protects against man-in-the-middle and cryptographic attacks.
Cons:
May reduce compatibility with older SSH clients that do not support modern algorithms.
Default Value:
Defaults vary by SSH server version; some may include weaker algorithms unless explicitly configured.
Pre-requisites:
Root or sudo privileges to modify SSH daemon configuration.
Remediation:
Test Plan:
Using Linux command line:
Check current KexAlgorithms setting in /etc/ssh/sshd_config:
grep ^KexAlgorithms /etc/ssh/sshd_config
Review the list of enabled key exchange algorithms.
Implementation Plan:
Using Linux command line:
Edit /etc/ssh/sshd_config:
vi /etc/ssh/sshd_config
Add or update the KexAlgorithms directive with strong algorithms, for example:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Save the file and restart sshd:
systemctl restart sshd
Verify the configuration:
grep ^KexAlgorithms /etc/ssh/sshd_config
Backout Plan:
Using Linux command line:
Revert to previous KexAlgorithms settings if necessary.
Restart sshd and verify client compatibility.
References: