Problem

After "Nessus" vulnerability scanning on Central node 4.0 servers, you may see the following:

This is about a IETF proposed standard (formerly a draft) introduced in January 2022 after KATA 4.0 release. These IETF recommendations are addressed in KATA version 5.0.

Solution

KATA 4.0 has OpenSSH_7.4p1, OpenSSL 1.0.2k-fips. This version supports newer Key Exchange (KEx) algorithms, so disabling weaker ones doesn't pose a problem. However, the list of key exchange algorithms that are accepted by GSSAPI key exchange for this version have only the ones that are named weak by the IETF draft, man SSHD_CONFIG(5) says:

Therefore, the only option to remove these in OpenSSH_7.4p1, is to disable GSSAPI key exchange. GSSAPI however is used by Kerberos authentification, so the possible impact is that Kerberos integration may be affected after these changes. 

So, in order to achieve the desired result:

1.  Open /etc/ssh/shh_config

   #vi /etc/ssh/shh_config

2. Locate the line

   GSSAPIAuthentication yes

   Change it to "no":

   GSSAPIAuthentication no

3. Add (or uncomment) the line

   GSSAPIKeyExchange no

4. Add the line defining the KEX algorithms to be used. These are all the algorithms supported by existing version of OpenSSL except the weak ones:

   KexAlgorithms diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org

5. Exit vi and save :wq!

6. Restart sshd

   #systemctl restart sshd

7. Confirm applied changes by listing the loaded gssapi settings and KEX algorithms.

   # sshd -T | grep kex # sshd -T | grep gssapi