Use Only Strong Key Exchange algorithms
An XCCDF Rule
Description
Limit the Key Exchange to strong algorithms.
The following line in /etc/ssh/sshd_config
demonstrates use
of those:
KexAlgorithms
Rationale
Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received
- ID
- xccdf_org.ssgproject.content_rule_sshd_use_strong_kex
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
sshd_strong_kex='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_strong_kex" use="legacy"/>'
Remediation - Ansible
- name: XCCDF Value sshd_strong_kex # promote to variable
set_fact:
sshd_strong_kex: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_strong_kex" use="legacy"/>
tags:
- always