BTW based on your output it looks like the DEFAULT policy is just fine, If you really want to turn etm HMAC and chacha20 off, you should follow the RHEL security alert https://access.redhat.com/security/cve/cve-2023-48795 cipher@SSH = -CHACHA20-POLY1305 ssh_etm = 0 by putting these lines into `/etc/crypto-policies/policies/modules/CVE-2023-48795.pmod`, applying the resulting subpolicy with `update-crypto-policies --set $(update-crypto-policies --show):CVE-2023-48795` and restarting openssh server. However I would NOT do that (since those ciphers are the modern alternatives), and instead update to openssh-server-8.0p1-15.el8_6.3.x86_64.rpm (see https://access.redhat.com/errata/RHSA-2024:0429) Gruss Bernd _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev