Configure SSHD via Red Hat crypto-policy

I am using Rocky Linux 8 and 9 and they use the crypto-policy framework from Red Hat. Now I want to adjust some settings in the policy to forbid sshd to use some specific algorithms. But I can not figure out the names for these algorithms as they should be given to crypro-policy (I only know the names as openssh accepts them). I am writing a text file at /etc/crypto-policies/policies/modules/DEPRECATED-SSH-ALGOS.pmod and try to set my policy to DEFAULT:DEPRECATED-SSH-ALGOS in /etc/crypto-policies/config. The problem is the content of the DEPRECATED-SSH-ALGOS.pmod file. Some algorithms I can successfully deactivate and others I can't. In some cases I can easily guess the name that crypto-policy uses from the name that ssh uses. "Working" version of the file: ~~~ cipher@ssh = -AES-*-CBC mac@SSH = -*-SHA1 -HMAC-SHA2-256 -HMAC-SHA2-512 ~~~ but I would like to use something like this: ~~~ cipher@ssh = -AES-*-CBC mac@SSH = -*-SHA1 -HMAC-SHA2-256 -HMAC-SHA2-512 -UMAC-128@OPENSSH.COM key_exchange@SSH = -*-SHA1 -ECDH-SHA2-NISTP256 -ECDH-SHA2-NISTP384 -ECDH-SHA2-NISTP521 ~~~ but the crypto-policy framework complains that it does not know this algorithm, when I update-crypto-policies --set: ~~~ AlgorithmEmptyMatchError: Bad value of policy property key_exchange: ecdh-sha2-nistp256 Errors found in policy, first one: Bad value of policy property key_exchange: ECDH-SHA2-NISTP256 ~~~ # Question What are the names of the algorithms I can put in a crypto-policy file or where do I find these? Or: Given a ssh specific algorithm name, how can I figure out the crypto-policy name for that algorithm? ---------------- # EDIT I have since found the file /usr/share/crypto-policies/python/policygenerators/openssh.py on my Rocky machine which seems to map these names: ~~~python # ... kx_map = { 'ECDHE-SECP521R1-SHA2-512':'ecdh-sha2-nistp521', 'ECDHE-SECP384R1-SHA2-384':'ecdh-sha2-nistp384', 'ECDHE-SECP256R1-SHA2-256':'ecdh-sha2-nistp256', # ... } #... ~~~ The problem is that some of the names there did not work as well. Either of ~~~shell key_exchange@SSH = -ecdh-sha2-nistp256 # or key_exchange@SSH = -ECDHE-SECP256R1-SHA2-256 ~~~ results in `Bad value of policy property key_exchange when I update-crypto-policies --set`.