On Fri, 4 Oct 2019, Paul Heinlein wrote: > Is it possible to mix and match crypto policies using approved tools > in CentOS 8? > > Our environment requires a LEGACY setting for OpenSSL so we can > maintain connections with our LDAP servers (which we cannot update > at this time), but I'd like especially the OpenSSH settings to use > the DEFAULT policy (and maybe even FUTURE on a test host or two). > > I think it's possible to manually repoint the symbolic links in > /etc/crypto-policies/back-ends to achieve that result, and I'll set > up puppet rules if that's the only way to do so, but I'd prefer to > use a more canonical approach if one exists. I received no replies to this query, so I hacked together a solution. In case someone needs to know, it was essentially something like this: # all operations run as root update-crypto-policies --set LEGACY systemctl reboot # after system comes back online... pushd /etc/crypto-policies/back-ends # reconfigure SSH client operations using DEFAULT policy rm openssh.config ln -s /usr/share/crypto-policies/DEFAULT/openssh.txt \ openssh.config # reconfigure sshd using DEFAULT policy and restart it rm opensshserver.config ln -s /usr/share/crypto-policies/DEFAULT/opensshserver.txt \ opensshserver.config systemctl restart sshd.service ### voila -- Paul Heinlein heinlein at madboa.com 45°38' N, 122°6' W