diff --git a/tasks/configure_ssh_hardening.yml b/tasks/configure_ssh_hardening.yml
index 780cff7ec546250702b0fdfca95c3d695de05eb3..421c10963cf943a8708cdc744ebdafc747113df2 100644
--- a/tasks/configure_ssh_hardening.yml
+++ b/tasks/configure_ssh_hardening.yml
@@ -1,4 +1,16 @@
 ---
+# man update-crypto-policies for details
+- name: make sure that SSH on RHEL respects the custom settings in sshd_config
+  ansible.builtin.regex_replace:
+    path: "/etc/sysconfig/sshd"
+    regexp: "# CRYPTO_POLICY="
+    line: "CRYPTO_POLICY="
+  # Only RedHat has the `/etc/sysonfig/` directory structure, so don't run this
+  # on Debian machines.
+  when: ansible_os_family == "RedHat"
+  notify:
+    - restart sshd
+
 - name: Konfiguration für OpenSSH einspielen - gehärtete Config
   ansible.builtin.blockinfile:
     path: "/etc/ssh/sshd_config"
@@ -56,6 +68,7 @@
       KexAlgorithms diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org
       # disable weak Ciphers (crypto algorithms)
       # NVT OID: 1.3.6.1.4.1.25623.1.0.105611
+      # NVT OID: 1.3.6.1.4.1.25623.1.0.105565
       # Also explicitely omit ChaCha ciphers for "Terrapin" (CVE-2023-48795)
       Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
       # Explicitely omit -ETM MACs for "Terrapin" (CVE-2023-48795)