On Fri, 4 Oct 2019 at 03:49, Todor Petkov <petkovptodor at gmail.com> wrote: > > Hi, > > I started playing with CentOS8 and I am trying to set default crypto > policies for openssh server/client. In CentOS7 I followed the guide > from https://infosec.mozilla.org/guidelines/openssh.html and set > KexAlgorithms /Ciphers/MACs in sshd_config. > > In CentOS8 I can edit > /usr/share/crypto-policies/$POLICY/opensshserver.txt for the sshd > arguments, but editing openssh.txt or even changing default crypto > policy to FIPS seems to not affect the client options (ssh -Q mac) > > Is the client supposed to be affected by these policies or they are > only for the server? > There seem to be 2 files in that directory ./DEFAULT/openssh.txt ./DEFAULT/opensshserver.txt ./EMPTY/openssh.txt ./EMPTY/opensshserver.txt ./FIPS/openssh.txt ./FIPS/opensshserver.txt ./FUTURE/openssh.txt ./FUTURE/opensshserver.txt ./LEGACY/openssh.txt ./LEGACY/opensshserver.txt So I would guess that you need to edit the openssh.txt for clients. HOWEVER, the /etc/ssh/ssh_config will tell you that this is only last default: # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. If the user sets things differently on the command line or in their .ssh/config file.. it will override your defaults. Another thing.. to determine how the policies are set, I would recommend reading through those config files. They will say that they are looking to include data in /etc/ssh/ssh_config.d/* which has /etc/ssh/ssh_config.d/05-redhat.conf on my system. Going into that.. it says it will attempt to Include /etc/crypto-policies/back-ends/openssh.config which will be pointing to the file you want. Since htat file might change in an update, you may want to override settings by putting the defaults you want in 01_site_defaults.cfg which would then get read in before 05-redhat.conf and be the ones to use. -- Stephen J Smoogen.