Bug 1813066

Summary: sshd rekey limit update for OSPP
Product: Red Hat Enterprise Linux 8 Reporter: Steve Grubb <sgrubb>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: high Docs Contact:
Priority: medium    
Version: 8.4CC: ggasparb, jjaburek, matyc, mhaicman, tmraz, wsato
Target Milestone: rcKeywords: AutoVerified, Reopened, Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:29:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1761915    

Description Steve Grubb 2020-03-12 20:34:16 UTC 
Description of problem:
There have been some Technical Decisions for OSPP that allows a little more flexibility. We like a couple things amended to ease some restrictions:

sshd_config
Ciphers aes128- gcm, aes256-gcm
RekeyLimit change back to 1G

ssh_config
Ciphers aes128- gcm, aes256-gcm
RekeyLimit change back to 1G

Additional info:
I don't know how this is checked. If crypto policy does that and no changes are needed to support these changes, then feel free to close this bz.
Comment 4 Matěj Týč 2020-03-31 07:54:16 UTC 

*** This bug has been marked as a duplicate of bug 1813064 ***
Comment 5 Tomas Mraz 2020-03-31 08:11:59 UTC 
Please note that sshd_rekey_limit is not handled by crypto policies.
Comment 6 Vojtech Polasek 2020-04-01 13:48:37 UTC 
Concerning sshd, as Matej said, we have rule sshd_rekey_limit, which is currently hardcoded to 512M 1h. We can change it or customize it with a variable.
We have no rule for configuring ssh client rekey limit but it should not be difficult to create one.
Comment 7 Vojtech Polasek 2020-06-09 15:54:44 UTC 
Rule for ssh client rekey limit is upstream:
https://github.com/ComplianceAsCode/content/pull/5788
The rule for ssh server rekey limit was adjusted to meet needs of this BZ here:
https://github.com/ComplianceAsCode/content/pull/5782
Comment 8 Watson Yuuma Sato 2020-07-22 15:56:12 UTC 
FTR, https://github.com/ComplianceAsCode/content/pull/5772 is also necessary for this BZ, as it prepares the rule to be parametrized.
Comment 19 errata-xmlrpc 2020-11-04 02:29:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4626