5.3.16 Ensure only strong Key Exchange algorithms are used - sshd_config

Information

Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received

Note: The only openSSH 5.3p1 Key Exchange Algorithm currently FIPS 140-2 approved is diffie-hellman-group-exchange-sha256

Rationale:

Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks

Solution

Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms
Example:

KexAlgorithms diffie-hellman-group-exchange-sha256

Default Value:

kexalgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

See Also

https://workbench.cisecurity.org/files/3152

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv7|14.4

Plugin: Unix

Control ID: d3eca4a282af1883cbb0b8254f99eaa1f896994af3ce4daf95dbca2254d4bad2