Configuring cryptographic algorithms for SSH with ASA


My team uses Okta Advanced Server Access (ASA) to manage SSH connections. We’re currently going through a compliance push for an upcoming audit and need to adjust the supported cryptographic algorithms for SSH to comply with certain controls. I updated the Ciphers, HostKeyAlgorithms, KexAlgorithms, and MACs in our sshd_config and restarted sshd. I confirmed the configuration looked correct with sudo sshd -T. However, when I inspected the handshake using ssh -vv <host>, I saw the server’s list of supported algorithms had not changed.

Is there some component of the ASA server agent that overrides the configured cryptographic algorithms in our sshd_config? Has anyone tried this before?