os_sshd_key_exchange_algorithm_configure detection issue #211

New Issue

michael · 2026-01-19T18:29:40Z

michael commented

2026-01-19 18:29:40 +00:00

Originally created by @K1jaff on GitHub.

Originally assigned to: @brodjieski on GitHub.

Summary

os_sshd_key_exchange_algorithm_configure detection is looking for the value "diffie-hellman-group-exchange-sha256" on the line starting with kexalgorithms, the current detection command fails to find the value even if present.

result_value=$(/usr/sbin/sshd -T | /usr/bin/grep -ci "^kexalgorithms diffie-hellman-group-exchange-sha256")

expected result {'integer': 1}

result_value {'integer': 0}

Steps to reproduce

Run /usr/sbin/sshd -T visually confirm diffie-hellman-group-exchange-sha256 is present on line starting with kexalgorithms
Run /usr/sbin/sshd -T | /usr/bin/grep -ci "^kexalgorithms diffie-hellman-group-exchange-sha256"
See command returns 0

Operating System version

Operating System Version:
13.0.1
Operating System Build:
22A400

Intel or Apple Silicon

Apple Silicon Mac

What is the current bug behavior?

Lookup for "diffie-hellman-group-exchange-sha256" returns 0 even if present

What is the expected correct behavior?

Lookup for "diffie-hellman-group-exchange-sha256" returns 1 if present

Relevant logs and/or screenshots

`<key>os_sshd_key_exchange_algorithm_configure</key>
<dict>
	<key>finding</key>
	<true/>
</dict>`

Possible fixes

Spliting the grep out into two commands returns the expected value:
result_value=$(/usr/sbin/sshd -T | /usr/bin/grep "^kexalgorithms" | /usr/bin/grep -ci "diffie-hellman-group-exchange-sha256"

)

Originally created by @K1jaff on GitHub. Originally assigned to: @brodjieski on GitHub. ### Summary os_sshd_key_exchange_algorithm_configure detection is looking for the value "diffie-hellman-group-exchange-sha256" on the line starting with kexalgorithms, the current detection command fails to find the value even if present. `result_value=$(/usr/sbin/sshd -T | /usr/bin/grep -ci "^kexalgorithms diffie-hellman-group-exchange-sha256")` # expected result {'integer': 1} # result_value {'integer': 0} ### Steps to reproduce Run `/usr/sbin/sshd -T ` visually confirm diffie-hellman-group-exchange-sha256 is present on line starting with kexalgorithms Run `/usr/sbin/sshd -T | /usr/bin/grep -ci "^kexalgorithms diffie-hellman-group-exchange-sha256"` See command returns 0 ### Operating System version Operating System Version: 13.0.1 Operating System Build: 22A400 ### Intel or Apple Silicon Apple Silicon Mac ### What is the current *bug* behavior? Lookup for "diffie-hellman-group-exchange-sha256" returns 0 even if present ### What is the expected *correct* behavior? Lookup for "diffie-hellman-group-exchange-sha256" returns 1 if present ### Relevant logs and/or screenshots `<key>os_sshd_key_exchange_algorithm_configure</key> <dict> <key>finding</key> <true/> </dict>` ### Possible fixes Spliting the grep out into two commands returns the expected value: result_value=$(/usr/sbin/sshd -T | /usr/bin/grep "^kexalgorithms" | /usr/bin/grep -ci "diffie-hellman-group-exchange-sha256" )

michael closed this issue

2026-01-19 18:29:40 +00:00

michael commented

2026-01-19 18:29:40 +00:00

@brodjieski commented on GitHub:

This check is for the STIG only, and the STIG specifically calls for the configuration of the diffie-hellman-group-exchange-sha256 key exchange algorithm. If any other algorithm is found, it would be a finding.

In testing, the check, as it stands, works as expected. The issue could not be reproduced.

@brodjieski commented on GitHub: This check is for the STIG only, and the STIG specifically calls for the configuration of the diffie-hellman-group-exchange-sha256 key exchange algorithm. If any other algorithm is found, it would be a finding. In testing, the check, as it stands, works as expected. The issue could not be reproduced.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#211