Bug 2138540

Summary: howto create a specific crypto-policy for SSH
Product: [Fedora] Fedora Reporter: Frank Ansari <mail>
Component: crypto-policiesAssignee: Red Hat Crypto Team <crypto-team>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 37CC: asosedki, crypto-team, luk.claes, rrelyea, tm
Target Milestone: ---Flags: fedora-admin-xmlrpc: mirror+
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-28 13:16:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frank Ansari 2022-10-29 14:18:26 UTC 
Description of problem:
I am trying to setup a crypto-policy for an SSH server. Of course I could go the opt-out way. But I would like to figure out how to do it with a cyrpto-policy.

Version-Release number of selected component (if applicable):
crypto-policies-scripts-20220815-1.gite4ed860.fc37.noarch

How reproducible:
Install ssh-audit.py (https://github.com/jtesta/ssh-audit) and try to figure out how to setup a policy without errors or warinings.

Steps to Reproduce:
1. cp /usr/share/crypto-policies/policies/DEFAULT.pol \
   /etc/crypto-policies/policies/MYPOLICY.pol
2. update-crypto-policies --set MYPOLICY
3. Adjust the policy so that ssh-audit.py throws no error or warnings.

Actual results:
Here an example what I have set:

mac@SSH = HMAC-SHA2-512

According to ssh-audit I should not set hmac-sha2-512 but only hmac-sha2-512-etm. With the setting above update-crypto-policies sets both. I have tried to set these values:

HMAC-SHA2-512-ETM
HMAC-SHA2-512-ETM
HMAC-SHA2-512-*
HMAC-SHA2-512-+

All these attemps gives errors like:

AlgorithmEmptyMatchError: Bad value of policy property `mac`: `hmac-sha2-512-*`
Errors found in policy, first one:
Bad value of policy property `mac`: `HMAC-SHA2-512-*`


Expected results:
There should be a way to to get the desired result. It is unclear to me how the configuration syntax is.

Additional info:
I have similar questions for other parameters.

For example: if I want to get this result:

KexAlgorithms curve25519-sha256,curve25519-sha256

How do I have to configure this in the policy?
Comment 1 Alexander Sosedkin 2022-10-31 10:11:03 UTC 
> According to ssh-audit I should not set hmac-sha2-512 but only hmac-sha2-512-etm

I believe that is possible with
    mac@SSH = HMAC-SHA2-512
    ssh_etm = 0

> KexAlgorithms curve25519-sha256,curve25519-sha256

These require enabling ECDHE key_exchange, X25519 group and SHA2-256 hash.

Hope that helps.
Comment 2 Alexander Sosedkin 2022-10-31 10:13:39 UTC 
> According to ssh-audit I should not set hmac-sha2-512 but only hmac-sha2-512-etm

Oh, wait, you want just the etm one. I don't think that's possible with crypto-policies,
so you might consider opting out of it if you want such to observe such a custom and rigid policy:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#excluding-an-application-from-following-the-system-wide-crypto-policies_using-the-system-wide-cryptographic-policies
Comment 3 Alexander Sosedkin 2023-03-28 13:16:20 UTC 

*** This bug has been marked as a duplicate of bug 2164847 ***