sshd ignores Ciphers, MACs, and KexAlgorithms in /etc/ssh/sshd_config on RHEL 9

Solution Verified - Updated 21 Oct 2024

Environment

Red Hat Enterprise Linux 9
openssh-server
crypto-policies

Issue

On RHEL 9, sshd ignores Ciphers, MACs, and KexAlgorithms in /etc/ssh/sshd_config, along with the crypto-policies system opt-out CRYPTO_POLICY= line in /etc/sysconfig/sshd.

Resolution

Make a new /etc/ssh/sshd_config.d/49-crypto-policy-override.conf file and migrate over any configuration for the following keywords in /etc/ssh/sshd_config:
```
CASignatureAlgorithms
Ciphers
GSSAPIKexAlgorithms
GSSAPIKeyExchange
HostKeyAlgorithms
KexAlgorithms
MACs
PubkeyAcceptedAlgorithms
RequiredRSASize
```

Root Cause

Opt-out configuration for crypto-policies is different in RHEL 8 and RHEL 9.
- The CRYPTO_POLICY= line in /etc/sysconfig/sshd is ignored in RHEL 9.
- RHEL 9 opt-out configuration is described in Examples of opting out of system-wide crypto policies
openssh uses the first instance of a keyword. Any later occurrence is ignored. After /etc/crypto-policies/back-ends/opensshserver.config is included, any instances of the same keywords in /etc/ssh/sshd_config are ignored.

SBR

Services

Product(s)

Red Hat Enterprise Linux

Components

openssh

Category

Troubleshoot

Tags

rhel_9

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.