On Fri, 4 Oct 2019, Paul Heinlein wrote:
> Is it possible to mix and match crypto policies using approved tools
> in CentOS 8?
>
> Our environment requires a LEGACY setting for OpenSSL so we can
> maintain connections with our LDAP servers (which we cannot update
> at this time), but I'd like especially the OpenSSH settings to use
> the DEFAULT policy (and maybe even FUTURE on a test host or two).
>
> I think it's possible to manually repoint the symbolic links in
> /etc/crypto-policies/back-ends to achieve that result, and I'll set
> up puppet rules if that's the only way to do so, but I'd prefer to
> use a more canonical approach if one exists.
I received no replies to this query, so I hacked together a solution.
In case someone needs to know, it was essentially something like this:
# all operations run as root
update-crypto-policies --set LEGACY
systemctl reboot
# after system comes back online...
pushd /etc/crypto-policies/back-ends
# reconfigure SSH client operations using DEFAULT policy
rm openssh.config
ln -s /usr/share/crypto-policies/DEFAULT/openssh.txt \
openssh.config
# reconfigure sshd using DEFAULT policy and restart it
rm opensshserver.config
ln -s /usr/share/crypto-policies/DEFAULT/opensshserver.txt \
opensshserver.config
systemctl restart sshd.service
### voila
--
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W