Bug 1483998 (rhel81-crypto-policies-libssh) - libssh client: follow the policies of system-wide crypto policy
Summary: libssh client: follow the policies of system-wide crypto policy
Keywords:
Status: CLOSED RAWHIDE
Alias: rhel81-crypto-policies-libssh
Product: Fedora
Classification: Fedora
Component: libssh
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Anderson Sasaki
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: fedora-crypto-policies 1610883 1635111
TreeView+ depends on / blocked
 
Reported: 2017-08-22 12:43 UTC by Nikos Mavrogiannopoulos
Modified: 2019-06-28 09:48 UTC (History)
4 users (show)

Fixed In Version: libssh-0.9.0-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1610883 (view as bug list)
Environment:
Last Closed: 2019-06-28 09:48:43 UTC
Type: Bug


Attachments (Terms of Use)
Support include files (11.06 KB, patch)
2017-08-24 13:50 UTC, Nikos Mavrogiannopoulos
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1225752 0 unspecified CLOSED openssh should follow the policies of system-wide crypto policy 2021-02-22 00:41:40 UTC

Description Nikos Mavrogiannopoulos 2017-08-22 12:43:56 UTC
Please utilize the system's crypto policy for enabled by default ciphers:
https://fedoraproject.org/wiki/Packaging:CryptoPolicies

As it is now libssh's configuration is provided per application using ssh_options_parse_config() making the administrator/user responsible any enabled ciphers, and in case of software upgrades to keep up-to-date the list of available ciphers allowed, parameters etc.

It would align more to the fedora system-wide policy directions if the library could apply some default settings based on the system policy when the user doesn't override/set a config file. For example fallback into reading a global configuration file in case the user doesn't have one (e.g., /etc/crypto-policies/back-ends/openssh.config).

Comment 1 Nikos Mavrogiannopoulos 2017-08-24 11:26:29 UTC
It seems the code already falls back to read /etc/ssh/ssh_config when no filename is set, or no user config exists. However, in Fedora we use Include directives on the configuration file, which in turn include /etc/ssh/ssh_config.d/05-redhat.conf and this includes /etc/crypto-policies/back-ends/openssh.config.

So this is pretty much an RFE to support recursive including of files.

Comment 2 Nikos Mavrogiannopoulos 2017-08-24 13:50:57 UTC
Created attachment 1317699 [details]
Support include files


Note You need to log in before you can comment on or make changes to this bug.