Bug 1790604
| Summary: | CASignatureAlgorithms manpage mentions postulate upstream defaults, do not mention crypto-policies | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Alexander Sosedkin <asosedki> |
| Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.3 | CC: | omoris, tmraz |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.0 | Flags: | jjelen:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openssh-8.0p1-5.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 01:31:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Successfully verified. See bz#1724195#c11 for more details. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openssh bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4439 |
Version-Release number of selected component (if applicable): openssh-8.0p1-3.el8 CASignatureAlgorithms mentions in the manpages claim incorrect default values inherited from upstream. Steps to reproduce: man ssh_config sshd_config Actual results: CASignatureAlgorithms Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is: ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa ssh(1) will not accept host certificates signed using algorithms other than those specified. Expected results: CASignatureAlgorithms Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default values are configured with crypto-policies(7). ssh(1) will not accept host certificates signed using algorithms other than those specified. Additional info: As the defaults are dynamic and governed by crypto-policies, we cannot really list them. But even a passing mention of crypto-policies is better than a inaccurate list.