Skip to content

Use crypto-policies to configure RHEL8 sshd algorithms#4676

Merged
matusmarhefka merged 1 commit intoComplianceAsCode:masterfrom
yuumasato:use_sshd_crypto_policies
Aug 7, 2019
Merged

Use crypto-policies to configure RHEL8 sshd algorithms#4676
matusmarhefka merged 1 commit intoComplianceAsCode:masterfrom
yuumasato:use_sshd_crypto_policies

Conversation

@yuumasato
Copy link
Copy Markdown
Member

@yuumasato yuumasato commented Aug 5, 2019

Description:

  • In RHEL8, configure SSHD Ciphers and MACs via system-wide crypto policies

Rationale:

@yuumasato yuumasato added this to the 0.1.46 milestone Aug 5, 2019
@yuumasato
Copy link
Copy Markdown
Member Author

yuumasato commented Aug 5, 2019

See also: #3677

@dahaic
Copy link
Copy Markdown
Contributor

dahaic commented Aug 5, 2019

@vojtapolasek can you review this one? :)

shawndwells
shawndwells suggested changes Aug 5, 2019
View reviewed changes
Copy link
Copy Markdown
Member

@shawndwells shawndwells left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like more is needed. For example, how do we ensure the running system is using the FIPS ciphers? What provides assurance sshd is using crypto-policies?

@yuumasato
Copy link
Copy Markdown
Member Author

yuumasato commented Aug 5, 2019

Seems like more is needed. For example, how do we ensure the running system is using the FIPS ciphers? What provides assurance sshd is using crypto-policies?

@shawndwells I'm not sure what kind of assurance you are looking for.
I would say that setting a crypto-policy is very similar to setting a config file. In both cases, you set it, and the application will use it. It just happens that with crypto policies there is an extra layer that sets it for a bunch of libraries.

From Chapter 3. Using system-wide cryptographic policies:
Once a system-wide policy is set up, applications in RHEL follow it and refuse to use algorithms and protocols that do not meet the policy, unless you explicitly request the application to do so.

@matusmarhefka matusmarhefka self-assigned this Aug 7, 2019
@matusmarhefka
Copy link
Copy Markdown
Member

matusmarhefka commented Aug 7, 2019

LGTM

@matusmarhefka matusmarhefka merged commit 8ece060 into ComplianceAsCode:master Aug 7, 2019
@yuumasato yuumasato deleted the use_sshd_crypto_policies branch August 7, 2019 09:00
@yuumasato yuumasato mentioned this pull request Aug 8, 2019
Closed
@mildas mildas mentioned this pull request Aug 12, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@shawndwells shawndwells shawndwells requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

@matusmarhefka matusmarhefka

Labels

None yet

Projects

None yet

Milestone

0.1.46

Development

Successfully merging this pull request may close these issues.

4 participants

@yuumasato @dahaic @matusmarhefka @shawndwells