As it is now openssh's configuration is hard coded and the administrator is responsible for doing any changes to it, and in case of software upgrades to keep up-to-date the list of ciphers allowed, parameters etc. It would be simpler for openssh to follow the system-wide crypto policy by default and unless the administrator changes the configuration the policies will be kept up to date and will be consistent with the policies followed in other parts of the system. The simpest approach for that would be for openssh to be able to include a file in its sshd_config and ssh_config, and thus include an auto-generated file.
The main idea is to remove the administrator of the burden of coping with ciphers, e.g., to apply settings recommended in https://bettercrypto.org/static/applied-crypto-hardening.pdf
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle. Changing version to '23'. (As we did not run this process for some time, it could affect also pre-Fedora 23 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
To sum things up. From my point of view, the include feature sounds reasonable for system-wide crypto policy and also drop-in directory will solve other packaging issues in Fedora. This topic is part of several upstream bugs: 1613, 2146 and 1585. Main concern was about client config include, but creating server version also makes sense for us and for other tools. I created few patches and upstream bugs targeting this issue: * broken glob(): https://bugzilla.mindrot.org/show_bug.cgi?id=2463 * include in ssh: https://bugzilla.mindrot.org/show_bug.cgi?id=1585 * include in sshd: https://bugzilla.mindrot.org/show_bug.cgi?id=2468 Finally I created copr repo with latest openssh build together with these patches to give it some more testing, before upstream will consider this feature or we will decide we want it in Rawhide regardless upstream resolution: https://copr.fedoraproject.org/coprs/jjelen/openssh-include/
Update status of include support in openssh: * broken glob(): RESOLVED in openssh-7.2 (F23) * include in ssh: upstream proposed a new patch * include in sshd: no update Future thoughts from recent discussion: * RSAMinModulusSize: configuration option for ssh and sshd * SSH_RSA_MINIMUM_MODULUS_SIZE (currently 768) * value will increase to 1024 in openssh-7.3 * DHMinGroup: configuration option for ssh and sshd * DH_GRP_MIN 1024 * DH_GRP_MIN_FIPS 2048
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'.
The client side will be in Fedora 26 [1] and soon in rawhide to test. Still leaving open for the server side, which has updated patch already in the upstream bugzilla [2] (with same semantics as the client side). It is the last thing blocking us from implementing the policy on the server side too. [1] https://fedoraproject.org/wiki/Changes/OpenSSH_Crypto_Policy [2] https://bugzilla.mindrot.org/show_bug.cgi?id=2468
openssh-7.3p1-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-94293f91e8
openssh-7.3p1-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Reopening for server side. This functionality is still missing from upstream OpenSSH as mentioned in the comment #6.
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
This seems to be addressed by 1479271