RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1812854 - RFE: Provide more details regarding "System-wide Crypto policy" in /etc/ssh/sshd_config
Summary: RFE: Provide more details regarding "System-wide Crypto policy" in /etc/ssh/s...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssh
Version: 8.1
Hardware: All
OS: All
medium
medium
Target Milestone: rc
: 8.0
Assignee: Jakub Jelen
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-12 10:51 UTC by Renaud Métrich
Modified: 2023-09-07 22:20 UTC (History)
2 users (show)

Fixed In Version: openssh-8.0p1-5.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-04 01:32:00 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4439 0 None None None 2020-11-04 01:32:10 UTC

Description Renaud Métrich 2020-03-12 10:51:56 UTC 
Description of problem:

The current comment is seen in /etc/ssh/sshd_config:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# System-wide Crypto policy:
# This system is following system-wide crypto policy. The changes to
# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
# effect here. They will be overridden by command-line options passed on
# the server start up.
# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=
# variable in  /etc/sysconfig/sshd  to overwrite the policy.
# For more information, see manual page for update-crypto-policies(8).
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This text contains typos ("KexAlgoritms" -> "KexAlgorithms") and is quite obscure ("To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=" is not really clear to me).
Additionally, when enabling FIPS, more properties than the ones lised will be ignored, such as "PubkeyAcceptedKeyTypes", "HostKeyAlgorithms" and "CASignatureAlgorithms".

I would suggest the following wording instead:
"
This system is following system-wide crypto policy, hence the content of the CRYPTO_POLICY environment variable defined in /etc/sysconfig/sshd or in /etc/crypto-policies/back-ends/opensshserver.config of  will override the corresponding properties defined in this file (e.g. Ciphers, MACs, ...).

To not use system-wide crypto policy, uncomment the line CRYPTO_POLICY= in /etc/sysconfig/sshd.
For more information, see manual page for update-crypto-policies(8).
"

Version-Release number of selected component (if applicable):

openssh-server-8.0p1-4.el8_1.x86_64

Additional info:
Comment 1 Jakub Jelen 2020-03-16 08:21:37 UTC 
I agree that this might be a bit confusing. I will try to reword the paragraphs in manual page. But this snippet is not supposed to be full-fledged documentation, but more something like a landing point if you really do not know what is going on to direct you to the appropriate manual page, which should really be the place which should document the thing in more details.

So rather than extending this snippet, I would rather make it shorter and focus on improving the documentation in the actual manual page. Does the paragraph there make sense for you or is there something you would improve there?
Comment 2 Renaud Métrich 2020-03-16 08:40:23 UTC 
Alright, maybe something like this:

"
This system is following system-wide crypto policy, hence most of the crypto properties (Ciphers, MACs, ...) cannot be configured in this file anymore.
Please check sshd_config(5) manpage for details.
"

What is apparently missing is a section regarding system-wide crypto policy in the manpage.
Comment 3 Jakub Jelen 2020-03-16 09:59:33 UTC 
(In reply to Renaud Métrich from comment #2)
> Alright, maybe something like this:
> 
> "
> This system is following system-wide crypto policy, hence most of the crypto
> properties (Ciphers, MACs, ...) cannot be configured in this file anymore.

It is not true that the options can not be configured here. This is a configuration file and if you opt out from crypto policies according to the update-crypto-policies man page, you are configuring everything here.

I like the idea of not listing all the options here as it makes it hard to keep them in sync with crypto policies (we already try to keep them up to date in manual page).

> Please check sshd_config(5) manpage for details.
> "

This should actually reference both sshd_config and update-crypto-policies man pages as the first should list up to date options affected by crypto policies and the other suggested/supported way for opting out/overriding the configuration

> What is apparently missing is a section regarding system-wide crypto policy
> in the manpage.

At this moment, I would probably suggest something like this:

# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect here.
# They will be overridden by command-line options passed to the server
# on command line.
# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).

Let me know what you think.
Comment 4 Renaud Métrich 2020-03-16 10:02:11 UTC 
I'm good with this.
Comment 9 Ondrej Moriš 2020-04-01 19:11:07 UTC 
Successfully verified.

OLD (openssh-8.0p1-4.el8_1)
===========================
# System-wide Crypto policy:
# This system is following system-wide crypto policy. The changes to
# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
# effect here. They will be overridden by command-line options passed on
# the server start up.
# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=
# variable in  /etc/sysconfig/sshd  to overwrite the policy.
# For more information, see manual page for update-crypto-policies(8).

NEW (openssh-8.0p1-5.el8)
=========================
# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect here.
# They will be overridden by command-line options passed to the server
# on command line.
# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).
Comment 13 errata-xmlrpc 2020-11-04 01:32:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openssh bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4439
Note You need to log in before you can comment on or make changes to this bug.