[CentOS] Mix/match C8 crypto policies

Mon Oct 7 20:57:47 UTC 2019
Paul Heinlein <heinlein at madboa.com>

On Fri, 4 Oct 2019, Paul Heinlein wrote:

> Is it possible to mix and match crypto policies using approved tools 
> in CentOS 8?
>
> Our environment requires a LEGACY setting for OpenSSL so we can 
> maintain connections with our LDAP servers (which we cannot update 
> at this time), but I'd like especially the OpenSSH settings to use 
> the DEFAULT policy (and maybe even FUTURE on a test host or two).
>
> I think it's possible to manually repoint the symbolic links in 
> /etc/crypto-policies/back-ends to achieve that result, and I'll set 
> up puppet rules if that's the only way to do so, but I'd prefer to 
> use a more canonical approach if one exists.

I received no replies to this query, so I hacked together a solution. 
In case someone needs to know, it was essentially something like this:

# all operations run as root
update-crypto-policies --set LEGACY
systemctl reboot

# after system comes back online...
pushd /etc/crypto-policies/back-ends

# reconfigure SSH client operations using DEFAULT policy
rm openssh.config
ln -s /usr/share/crypto-policies/DEFAULT/openssh.txt \
       openssh.config

# reconfigure sshd using DEFAULT policy and restart it
rm opensshserver.config
ln -s /usr/share/crypto-policies/DEFAULT/opensshserver.txt \
       opensshserver.config
systemctl restart sshd.service

### voila

-- 
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W