Bug 1668325
| Summary: | openssh - man pages do not mention crypto-policies | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Stanislav Zidek <szidek> |
| Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED ERRATA | QA Contact: | Bob Relyea <rrelyea> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.0 | CC: | asosedki, hkario, jjelen, nmavrogi, omoris, rrelyea, szidek, tmraz |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openssh-8.0p1-1.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 22:41:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1682500 | ||
| Bug Blocks: | 1625318 | ||
I do not understand why this is assigned to crypto-policies. And I do not think we should document in crypto-policies manual pages the exact list of algorithms for each and every crypto back end that is configured by crypto-policies. That makes completely no sense as the users can look into the individual config files at what the list is and duplicating this info in manual pages only complicates things. Can you please clarify, what you request here? yes, it was a mistake, it's the openssh man pages that need to be fixed We should fix this one too as described in bug #1625318. The proposal is to add to ssh_config and sshd_config manual pages something like this: The default is handled by system-wide crypto-policies(7). How to overwrite this default, see manual page update-crypto-policies(8). instead of The default is: chacha20-poly1305, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm,aes256-gcm I propose to change this in each of Ciphers, MACs, KexAlgorithms, GSSAPIKexAlgorithms, PubkeyAcceptedKeyTypes, HostKeyAlgorithms (in server only so far). Thank you for checking. I have the patch ready, but I did not build the package yet. I will do it ASAP. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:3702 |
Description of problem: Looking to e.g. man sshd_config, part Ciphers, it is documenting wrong default value: Ciphers ... The supported ciphers are: ... The default is: chacha20-poly1305, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm,aes256-gcm This might be confusing to administrators, because true defaults are dependent on current policy profile. Version-Release number of selected component (if applicable): # rpm -q openssh crypto-policies openssh-7.8p1-4.el8.x86_64 crypto-policies-20181217-1.git9a35207.el8.noarch Additional info: Actual config files (sshd_config and ssh_config) DO mention crypto policies.