1483998 – (rhel81-crypto-policies-libssh) libssh client: follow the policies of system-wide crypto policy

Bug 1483998 (rhel81-crypto-policies-libssh) - libssh client: follow the policies of system-wide crypto policy

Summary: libssh client: follow the policies of system-wide crypto policy

Keywords:
Status:	CLOSED RAWHIDE
Alias:	rhel81-crypto-policies-libssh
Product:	Fedora
Classification:	Fedora
Component:	libssh
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Anderson Sasaki
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	fedora-crypto-policies 1610883 1635111
TreeView+	depends on / blocked

Reported:	2017-08-22 12:43 UTC by Nikos Mavrogiannopoulos
Modified:	2019-06-28 09:48 UTC (History)
CC List:	4 users (show)
Fixed In Version:	libssh-0.9.0-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1610883 (view as bug list)
Environment:
Last Closed:	2019-06-28 09:48:43 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Support include files (11.06 KB, patch) 2017-08-24 13:50 UTC, Nikos Mavrogiannopoulos	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1225752	0	unspecified	CLOSED	openssh should follow the policies of system-wide crypto policy	2021-02-22 00:41:40 UTC

Description Nikos Mavrogiannopoulos 2017-08-22 12:43:56 UTC

Please utilize the system's crypto policy for enabled by default ciphers:
https://fedoraproject.org/wiki/Packaging:CryptoPolicies

As it is now libssh's configuration is provided per application using ssh_options_parse_config() making the administrator/user responsible any enabled ciphers, and in case of software upgrades to keep up-to-date the list of available ciphers allowed, parameters etc.

It would align more to the fedora system-wide policy directions if the library could apply some default settings based on the system policy when the user doesn't override/set a config file. For example fallback into reading a global configuration file in case the user doesn't have one (e.g., /etc/crypto-policies/back-ends/openssh.config).

Comment 1 Nikos Mavrogiannopoulos 2017-08-24 11:26:29 UTC

It seems the code already falls back to read /etc/ssh/ssh_config when no filename is set, or no user config exists. However, in Fedora we use Include directives on the configuration file, which in turn include /etc/ssh/ssh_config.d/05-redhat.conf and this includes /etc/crypto-policies/back-ends/openssh.config.

So this is pretty much an RFE to support recursive including of files.

Comment 2 Nikos Mavrogiannopoulos 2017-08-24 13:50:57 UTC

Created attachment 1317699 [details]
Support include files

Note You need to log in before you can comment on or make changes to this bug.