Description of problem:
are ignored. Man-page states this shall remove these ciphers from sshd.
# sshd -T | grep -i cipher
but if a client connects using one of the non announced ciphers it will be used by sshd.
Version-Release number of selected component (if applicable):
OpenSSH_7.8p1, OpenSSL 1.1.0i-fips 14 Aug 2018
Steps to Reproduce:
1. Install OpenSSH
2. Configure /etc/ssh/sshd_config to include one of
3. Test with "sshd -T | grep -i cipher" -> sshd reports to not support any *-cbc based ciphers any more.
4. Connect using one of these unsupported ciphers.
Connection with one of the unsupported ciphers succeeds
Connection with one of the unsupported ciphers shall fail.
With sshd on Fedora 27 this worked as expected.
Fedora 29, OpenSSH_7.9p1, OpenSSL 1.1.1 FIPS 11 Sep 2018
Same problem: ciphers disabled, but supported.
This is because of crypto-policy, which sets default ciphers on sshd commandline (because of lack of include in the sshd), which take precedence to the configuration file and is loaded through the
$ systemctl cat sshd
To opt out, you can modify the other environment file as advised and then your ciphers setting should become effective:
# cat /etc/sysconfig/sshd
# System-wide crypto policy:
# To opt-out, uncomment the following line
For more information, see