Richard W.M. Jones
2020-Jan-15 10:57 UTC
[Libguestfs] [PATCH v2v] docs: Fix update-crypto-policies command.
The command as documented was wrong. We need to use the --set option to change the policy. Fixes commit d5cbe7b4bee5dec9e28b1db03e933c97ef6d11e0. Thanks: Xiaodai Wang --- docs/virt-v2v-input-xen.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/virt-v2v-input-xen.pod b/docs/virt-v2v-input-xen.pod index bafeabf62..bce0aff45 100644 --- a/docs/virt-v2v-input-xen.pod +++ b/docs/virt-v2v-input-xen.pod @@ -36,7 +36,7 @@ to interoperate with RHEL 5 sshd are disabled. To enable them you may need to run this command on the conversion server (ie. ssh client), but read L<update-crypto-policies(8)> first: - # update-crypto-policies LEGACY + # update-crypto-policies --set LEGACY =head2 Test libvirt connection to remote Xen host -- 2.24.1
Daniel P. Berrangé
2020-Jan-15 11:03 UTC
Re: [Libguestfs] [PATCH v2v] docs: Fix update-crypto-policies command.
On Wed, Jan 15, 2020 at 10:57:36AM +0000, Richard W.M. Jones wrote:> The command as documented was wrong. We need to use the --set option > to change the policy. > > Fixes commit d5cbe7b4bee5dec9e28b1db03e933c97ef6d11e0. > Thanks: Xiaodai Wang > --- > docs/virt-v2v-input-xen.pod | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/docs/virt-v2v-input-xen.pod b/docs/virt-v2v-input-xen.pod > index bafeabf62..bce0aff45 100644 > --- a/docs/virt-v2v-input-xen.pod > +++ b/docs/virt-v2v-input-xen.pod > @@ -36,7 +36,7 @@ to interoperate with RHEL 5 sshd are disabled. To enable them you may > need to run this command on the conversion server (ie. ssh client), > but read L<update-crypto-policies(8)> first: > > - # update-crypto-policies LEGACY > + # update-crypto-policies --set LEGACYPersonally I would not be in favour of recommending that people change their crypto policies host-wide, especially since the doc is not telling them to set it back to the stronger default policy later. If the problem is simply the SSH server, then it ought to be possible to address this using the "Ciphers" config option for the SSH client, so that it doesn't weaken crypto for the entire host. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Richard W.M. Jones
2020-Jan-15 13:21 UTC
Re: [Libguestfs] [PATCH v2v] docs: Fix update-crypto-policies command.
On Wed, Jan 15, 2020 at 11:03:24AM +0000, Daniel P. Berrangé wrote:> On Wed, Jan 15, 2020 at 10:57:36AM +0000, Richard W.M. Jones wrote: > > The command as documented was wrong. We need to use the --set option > > to change the policy. > > > > Fixes commit d5cbe7b4bee5dec9e28b1db03e933c97ef6d11e0. > > Thanks: Xiaodai Wang > > --- > > docs/virt-v2v-input-xen.pod | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/docs/virt-v2v-input-xen.pod b/docs/virt-v2v-input-xen.pod > > index bafeabf62..bce0aff45 100644 > > --- a/docs/virt-v2v-input-xen.pod > > +++ b/docs/virt-v2v-input-xen.pod > > @@ -36,7 +36,7 @@ to interoperate with RHEL 5 sshd are disabled. To enable them you may > > need to run this command on the conversion server (ie. ssh client), > > but read L<update-crypto-policies(8)> first: > > > > - # update-crypto-policies LEGACY > > + # update-crypto-policies --set LEGACY > > Personally I would not be in favour of recommending that people > change their crypto policies host-wide, especially since the > doc is not telling them to set it back to the stronger default > policy later. > > If the problem is simply the SSH server, then it ought to be > possible to address this using the "Ciphers" config option > for the SSH client, so that it doesn't weaken crypto for the > entire host.That's the "but read the <manual> first" part of the documentation. Anyway I looked at how easy this might be to implement. The first complication is that we're using two different ways to contact the RHEL 5 Xen server, first making a libvirt connection to xen+ssh, and then using nbdkit-ssh-plugin. Libvirt is using the ssh binary, but with no control over the -c / Ciphers option. However /usr/bin/ssh will honour crypto-policies. nbdkit is using libssh, so again it's not settable directly but it will honour crypto-policies. It seems as if it's possible to set crypto-policies only for SSH protocol connections, but the documentation for this is obscure to say the least. Since we're using external binaries to do the work it doesn't seem like we can do this only for virt-v2v. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v
Maybe Matching Threads
- [PATCH v2v] docs: Fix update-crypto-policies command.
- Re: [PATCH v2v] docs: Fix update-crypto-policies command.
- [PATCH] v2v: Implement SSH password authentication for Xen and VMX over SSH.
- enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
- CentOS8 and crypto-policies