Bug 2138540 - howto create a specific crypto-policy for SSH
Summary: howto create a specific crypto-policy for SSH
Keywords:
Status: CLOSED DUPLICATE of bug 2164847
Alias: None
Product: Fedora
Classification: Fedora
Component: crypto-policies
Version: 37
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Red Hat Crypto Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-10-29 14:18 UTC by Frank Ansari
Modified: 2023-03-28 13:16 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2023-03-28 13:16:20 UTC
Type: Bug
Embargoed:
fedora-admin-xmlrpc: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-640 0 None None None 2022-10-29 14:21:24 UTC

Description Frank Ansari 2022-10-29 14:18:26 UTC 
Description of problem:
I am trying to setup a crypto-policy for an SSH server. Of course I could go the opt-out way. But I would like to figure out how to do it with a cyrpto-policy.

Version-Release number of selected component (if applicable):
crypto-policies-scripts-20220815-1.gite4ed860.fc37.noarch

How reproducible:
Install ssh-audit.py (https://github.com/jtesta/ssh-audit) and try to figure out how to setup a policy without errors or warinings.

Steps to Reproduce:
1. cp /usr/share/crypto-policies/policies/DEFAULT.pol \
   /etc/crypto-policies/policies/MYPOLICY.pol
2. update-crypto-policies --set MYPOLICY
3. Adjust the policy so that ssh-audit.py throws no error or warnings.

Actual results:
Here an example what I have set:

mac@SSH = HMAC-SHA2-512

According to ssh-audit I should not set hmac-sha2-512 but only hmac-sha2-512-etm. With the setting above update-crypto-policies sets both. I have tried to set these values:

HMAC-SHA2-512-ETM
HMAC-SHA2-512-ETM
HMAC-SHA2-512-*
HMAC-SHA2-512-+

All these attemps gives errors like:

AlgorithmEmptyMatchError: Bad value of policy property `mac`: `hmac-sha2-512-*`
Errors found in policy, first one:
Bad value of policy property `mac`: `HMAC-SHA2-512-*`


Expected results:
There should be a way to to get the desired result. It is unclear to me how the configuration syntax is.

Additional info:
I have similar questions for other parameters.

For example: if I want to get this result:

KexAlgorithms curve25519-sha256,curve25519-sha256

How do I have to configure this in the policy?
Comment 1 Alexander Sosedkin 2022-10-31 10:11:03 UTC 
> According to ssh-audit I should not set hmac-sha2-512 but only hmac-sha2-512-etm

I believe that is possible with
    mac@SSH = HMAC-SHA2-512
    ssh_etm = 0

> KexAlgorithms curve25519-sha256,curve25519-sha256

These require enabling ECDHE key_exchange, X25519 group and SHA2-256 hash.

Hope that helps.
Comment 2 Alexander Sosedkin 2022-10-31 10:13:39 UTC 
> According to ssh-audit I should not set hmac-sha2-512 but only hmac-sha2-512-etm

Oh, wait, you want just the etm one. I don't think that's possible with crypto-policies,
so you might consider opting out of it if you want such to observe such a custom and rigid policy:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#excluding-an-application-from-following-the-system-wide-crypto-policies_using-the-system-wide-cryptographic-policies
Comment 3 Alexander Sosedkin 2023-03-28 13:16:20 UTC 

*** This bug has been marked as a duplicate of bug 2164847 ***
Note You need to log in before you can comment on or make changes to this bug.