[CentOS] CentOS8 and crypto-policies

Fri Oct 4 13:09:09 UTC 2019
Stephen John Smoogen <smooge at gmail.com>

On Fri, 4 Oct 2019 at 03:49, Todor Petkov <petkovptodor at gmail.com> wrote:
>
> Hi,
>
> I started playing with CentOS8 and I am trying to set default crypto
> policies for openssh server/client. In CentOS7 I followed the guide
> from https://infosec.mozilla.org/guidelines/openssh.html and set
> KexAlgorithms /Ciphers/MACs in sshd_config.
>
> In CentOS8 I can edit
> /usr/share/crypto-policies/$POLICY/opensshserver.txt for the sshd
> arguments, but editing openssh.txt or even changing default crypto
> policy to FIPS seems to not affect the client options (ssh -Q mac)
>
> Is the client supposed to be affected by these policies or they are
> only for the server?
>

There seem to be 2 files in that directory
./DEFAULT/openssh.txt
./DEFAULT/opensshserver.txt
./EMPTY/openssh.txt
./EMPTY/opensshserver.txt
./FIPS/openssh.txt
./FIPS/opensshserver.txt
./FUTURE/openssh.txt
./FUTURE/opensshserver.txt
./LEGACY/openssh.txt
./LEGACY/opensshserver.txt

So I would guess that you need to edit the openssh.txt for clients.
HOWEVER, the /etc/ssh/ssh_config will tell you that this is only last
default:

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

If the user sets things differently on the command line or in their
.ssh/config file.. it will override your defaults.


Another thing.. to determine how the policies are set, I would
recommend reading through those config files. They will say that they
are looking to include data in /etc/ssh/ssh_config.d/* which has
/etc/ssh/ssh_config.d/05-redhat.conf on my system. Going into that..
it says it will attempt to

Include /etc/crypto-policies/back-ends/openssh.config

which will be pointing to the file you want. Since htat file might
change in an update, you may want to override settings by putting the
defaults you want in
01_site_defaults.cfg

which would then get read in before 05-redhat.conf and be the ones to use.




-- 
Stephen J Smoogen.