Skip to content

Adding new kex method / EC2 Instance connect supports #883

New issue
New issue
Open
Open
Adding new kex method / EC2 Instance connect supports#883
Labels
enhancement
@fredericgermain

Description

@fredericgermain
fredericgermain
opened on Jul 24, 2025

Description

Hi,

On instance with ansible-collection-hardening set up, we cannot use EC2 Instance connect

... sshd[32758]: Connection from 18.202.216.53 port 60838 on 10.0.0.240 port 22 rdomain ""
... sshd[32758]: Unable to negotiate with 18.202.216.53 port 60838: no matching key exchange method found. Their offer: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,ext-info-c,[[email protected]](mailto:[email protected]) [preauth]

It seems they only allow really limited list for kex
Adding ecdh-sha2-nistp521 to ssh config would work.

I would say to try to revisit the list of allowed kex method by dev-sec hardening.

I'm not sure how legitimate this website here, but they recommend ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256 https://www.ssh.com/academy/ssh/sshd_config
Although we might want to keep current methods for compatibility reasons.

Solution

Add one or some of ecdh-sha2-* methods in ssh_kex_85_default and change inspec accordingly

Alternatives

No response

Additional information

...

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions