search for: opensshserv

...arted playing with CentOS8 and I am trying to set default crypto policies for openssh server/client. In CentOS7 I followed the guide from https://infosec.mozilla.org/guidelines/openssh.html and set KexAlgorithms /Ciphers/MACs in sshd_config. In CentOS8 I can edit /usr/share/crypto-policies/$POLICY/opensshserver.txt for the sshd arguments, but editing openssh.txt or even changing default crypto policy to FIPS seems to not affect the client options (ssh -Q mac) Is the client supposed to be affected by these policies or they are only for the server? Regards,

Is it possible to mix and match crypto policies using approved tools in CentOS 8? Our environment requires a LEGACY setting for OpenSSL so we can maintain connections with our LDAP servers (which we cannot update at this time), but I'd like especially the OpenSSH settings to use the DEFAULT policy (and maybe even FUTURE on a test host or two). I think it's possible to manually

...stp384, ecdsa-sha2-nistp384-cert-v01 at openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521, ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519, ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-cert-v01 at openssh.com So I found the unit file for sshd that refers to /etc/crypto-policies/back-ends/opensshserver.config In the mean time I was able to reach my target going and editing the /etc/sysconfig/sshd file adding the whole line obtained from the above and adding ssh-dss CRYPTO_POLICY='-oCiphers=aes256-gcm at openssh.com, chacha20-poly1305 at openssh.com,aes256-ctr,aes256-cbc,aes128-gcm at opens...

...84-cert-v01 at openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521, > ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519, > ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-cert-v01 at openssh.com > > So I found the unit file for sshd that refers > to /etc/crypto-policies/back-ends/opensshserver.config > In the mean time I was able to reach my target going and editing the > /etc/sysconfig/sshd file adding the whole line obtained from the above and > adding ssh-dss > > CRYPTO_POLICY='-oCiphers=aes256-gcm at openssh.com, > chacha20-poly1305 at openssh.com,aes256-ctr,...