Bug 1812854
| Summary: | RFE: Provide more details regarding "System-wide Crypto policy" in /etc/ssh/sshd_config | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.1 | CC: | omoris, tmraz |
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
| Target Release: | 8.0 | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | openssh-8.0p1-5.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 01:32:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I agree that this might be a bit confusing. I will try to reword the paragraphs in manual page. But this snippet is not supposed to be full-fledged documentation, but more something like a landing point if you really do not know what is going on to direct you to the appropriate manual page, which should really be the place which should document the thing in more details. So rather than extending this snippet, I would rather make it shorter and focus on improving the documentation in the actual manual page. Does the paragraph there make sense for you or is there something you would improve there? Alright, maybe something like this: " This system is following system-wide crypto policy, hence most of the crypto properties (Ciphers, MACs, ...) cannot be configured in this file anymore. Please check sshd_config(5) manpage for details. " What is apparently missing is a section regarding system-wide crypto policy in the manpage. (In reply to Renaud Métrich from comment #2) > Alright, maybe something like this: > > " > This system is following system-wide crypto policy, hence most of the crypto > properties (Ciphers, MACs, ...) cannot be configured in this file anymore. It is not true that the options can not be configured here. This is a configuration file and if you opt out from crypto policies according to the update-crypto-policies man page, you are configuring everything here. I like the idea of not listing all the options here as it makes it hard to keep them in sync with crypto policies (we already try to keep them up to date in manual page). > Please check sshd_config(5) manpage for details. > " This should actually reference both sshd_config and update-crypto-policies man pages as the first should list up to date options affected by crypto policies and the other suggested/supported way for opting out/overriding the configuration > What is apparently missing is a section regarding system-wide crypto policy > in the manpage. At this moment, I would probably suggest something like this: # This system is following system-wide crypto policy. The changes to # crypto properties (Ciphers, MACs, ...) will not have any effect here. # They will be overridden by command-line options passed to the server # on command line. # Please, check manual pages for update-crypto-policies(8) and sshd_config(5). Let me know what you think. I'm good with this. Successfully verified. OLD (openssh-8.0p1-4.el8_1) =========================== # System-wide Crypto policy: # This system is following system-wide crypto policy. The changes to # Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any # effect here. They will be overridden by command-line options passed on # the server start up. # To opt out, uncomment a line with redefinition of CRYPTO_POLICY= # variable in /etc/sysconfig/sshd to overwrite the policy. # For more information, see manual page for update-crypto-policies(8). NEW (openssh-8.0p1-5.el8) ========================= # This system is following system-wide crypto policy. The changes to # crypto properties (Ciphers, MACs, ...) will not have any effect here. # They will be overridden by command-line options passed to the server # on command line. # Please, check manual pages for update-crypto-policies(8) and sshd_config(5). Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openssh bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4439 |
Description of problem: The current comment is seen in /etc/ssh/sshd_config: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # System-wide Crypto policy: # This system is following system-wide crypto policy. The changes to # Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any # effect here. They will be overridden by command-line options passed on # the server start up. # To opt out, uncomment a line with redefinition of CRYPTO_POLICY= # variable in /etc/sysconfig/sshd to overwrite the policy. # For more information, see manual page for update-crypto-policies(8). -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- This text contains typos ("KexAlgoritms" -> "KexAlgorithms") and is quite obscure ("To opt out, uncomment a line with redefinition of CRYPTO_POLICY=" is not really clear to me). Additionally, when enabling FIPS, more properties than the ones lised will be ignored, such as "PubkeyAcceptedKeyTypes", "HostKeyAlgorithms" and "CASignatureAlgorithms". I would suggest the following wording instead: " This system is following system-wide crypto policy, hence the content of the CRYPTO_POLICY environment variable defined in /etc/sysconfig/sshd or in /etc/crypto-policies/back-ends/opensshserver.config of will override the corresponding properties defined in this file (e.g. Ciphers, MACs, ...). To not use system-wide crypto policy, uncomment the line CRYPTO_POLICY= in /etc/sysconfig/sshd. For more information, see manual page for update-crypto-policies(8). " Version-Release number of selected component (if applicable): openssh-server-8.0p1-4.el8_1.x86_64 Additional info: