similar to: [PATCH v2v] docs: Fix update-crypto-policies command.

On Wed, Jan 15, 2020 at 11:03:24AM +0000, Daniel P. Berrangé wrote: > On Wed, Jan 15, 2020 at 10:57:36AM +0000, Richard W.M. Jones wrote: > > The command as documented was wrong. We need to use the --set option > > to change the policy. > > > > Fixes commit d5cbe7b4bee5dec9e28b1db03e933c97ef6d11e0. > > Thanks: Xiaodai Wang > > --- > >

On Wed, Jan 15, 2020 at 10:57:36AM +0000, Richard W.M. Jones wrote: > The command as documented was wrong. We need to use the --set option > to change the policy. > > Fixes commit d5cbe7b4bee5dec9e28b1db03e933c97ef6d11e0. > Thanks: Xiaodai Wang > --- > docs/virt-v2v-input-xen.pod | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git

This isn't quite the full thing. I think that Pino is also working on replacing the ssh and scp commands in the v2v/input_vmx.ml file with libssh. Without those changes, -i vmx will still issue raw ssh and scp commands, which will use ssh-agent (or keyboard-interactive). The Xen input method doesn't use raw ssh and scp commands, so that one is OK. Rich.

Hi, I started playing with CentOS8 and I am trying to set default crypto policies for openssh server/client. In CentOS7 I followed the guide from https://infosec.mozilla.org/guidelines/openssh.html and set KexAlgorithms /Ciphers/MACs in sshd_config. In CentOS8 I can edit /usr/share/crypto-policies/$POLICY/opensshserver.txt for the sshd arguments, but editing openssh.txt or even changing default

Thanks: Xiaodai Wang --- v2v/output_rhv_upload.ml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/v2v/output_rhv_upload.ml b/v2v/output_rhv_upload.ml index 6260eaac5..df91a117f 100644 --- a/v2v/output_rhv_upload.ml +++ b/v2v/output_rhv_upload.ml @@ -361,13 +361,13 @@ If the messages above are not sufficient to diagnose the problem then add the *) let nr_disks

Is it possible to mix and match crypto policies using approved tools in CentOS 8? Our environment requires a LEGACY setting for OpenSSL so we can maintain connections with our LDAP servers (which we cannot update at this time), but I'd like especially the OpenSSH settings to use the DEFAULT policy (and maybe even FUTURE on a test host or two). I think it's possible to manually

well nuts. that, in fact, doesn't work. it appears that, based on an strace, the order of reading for policies is personal .ssh/config, /etc/ssh/ssh_config (and conf.d files), then crypto policies, with the more restrictive policy being used. --- Regards, Kevin Martin On Mon, Sep 9, 2024 at 11:07?AM kevin martin <ktmdms at gmail.com> wrote: > Lol! Our Security team sent out

I'm using the most up to date version of openssh on OL8 that I can patch to (OpenSSH_8.0p1), I've used update-crypto-policies to disallow the use of ssh-rsa, but apparently am connecting to a host that uses ssh-rsa. I've tried adding HostkeyAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com PubkeyAcceptedAlgorithms +ssh-rsa,ssh-rsa-cert-v01 at openssh.com or HostkeyAlgorithms

Lol! Our Security team sent out new policies that dictated turning off ssh-rsa, so *we did. turns out our Security Team doesn't necessarily follow their own dictates, so here we are. Our Linux team says that the correct way to turn off ssh-rsa is via the crypto policies, not via direct manipulation of the /etc/ssh/ssh_config, and I guess that's probably the absolute best way to do so,

The crypto policies are system-wide to disallow any software (using system crypto) from using unsafe/weak/unwanted algorithm, which is exactly what you are trying to do. You?ll need to allow that system-wide by default, unfortunately. Luckily you can then disallow ssh-rsa in ssh-config by default and only enable it for a few hosts. The correct solution is to throw whatever requires it to the

Hello, I've just installed dovecot to replace courier-imap and I've found out it didn't support some of the typical LDAP userPassword schemes, so I've written some based on OpenSSL API. Furthermore I noticed that the MD5 one seems broken. If it isn't a requirement to ship its own implementation of a crypto algorithm, I would send in a patch to replace schema checks with

We were not considering failures while initializing the transfer. In this case the transfer phase can change to PAUSED_SYSTEM or FINISHED_FAILURE, and transfer_url will be None, which failed the upload with a misleading error: RuntimeError: direct upload to host not supported, requires ovirt-engine >= 4.2 and only works when virt-v2v is run within the oVirt/RHV environment, eg. on

Hello, I tried to find out how about to use the hardware crypto engines under Solaris (Sun Fire T2000). It seems, that its not just a compilation issue: > For operations that are to be offloaded, it is necessary to restrict use to subset > of OpenSSL functions (the EVP_ functions) and explicitly indicate the use of the PKCS11 > engine; something like the following works for bulk

When erroring out about duplicated parameters, say "more than once" instead of "twice", since there can be more than two repeated parameters. Thanks to: Xiaodai Wang --- generator/fish.ml | 2 +- generator/perl.ml | 2 +- resize/resize.ml | 4 ++-- tools/virt-tar | 4 ++-- v2v/input_libvirt_vddk.ml | 2 +- v2v/output_rhv_upload.ml | 4 ++--

Hi, On Mon, Sep 09, 2024 at 05:41:42PM +0200, Jan Schermer wrote: > The correct solution is to throw whatever requires it to the garbage and never buy from that vendor again. As nice as this sounds, the selection of possible algorithms on the (usually "internal network only") management interface is waaaaay low on the priority list when shopping for a $50k router... gert --

On Thu, Nov 28, 2019 at 10:58 PM Richard W.M. Jones <rjones@redhat.com> wrote: > > On Thu, Nov 28, 2019 at 09:34:18PM +0200, Nir Soffer wrote: > > We were not considering failures while initializing the transfer. In > > this case the transfer phase can change to PAUSED_SYSTEM or > > FINISHED_FAILURE, and transfer_url will be None, which failed the > > upload

On Mon, 4 Jan 2016, Peter Stuge wrote: > Hi Kaleb, > > Kaleb Himes wrote: > > OpenSSH port Location: https://github.com/kaleb-himes/openssh-portable.git > > I'm afraid this repository is too messy to be useful. :\ > > You need to use the features offered by git to preserve commit ids if > anyone else besides yourself is going to be able to work with this, >

On Tue, 29 Nov 2016 09:25:49 +0000 Stefan Hajnoczi <stefanha at redhat.com> wrote: > On Tue, Nov 29, 2016 at 08:22:58AM +0000, Gonglei (Arei) wrote: > > Hi, > > > > > > > > +source "drivers/crypto/virtio/Kconfig" > > > > > > + > > > > > > endif # CRYPTO_HW > > > > > > diff --git

On Tue, 29 Nov 2016 09:25:49 +0000 Stefan Hajnoczi <stefanha at redhat.com> wrote: > On Tue, Nov 29, 2016 at 08:22:58AM +0000, Gonglei (Arei) wrote: > > Hi, > > > > > > > > +source "drivers/crypto/virtio/Kconfig" > > > > > > + > > > > > > endif # CRYPTO_HW > > > > > > diff --git

Hi, > > > > +source "drivers/crypto/virtio/Kconfig" > > > > + > > > > endif # CRYPTO_HW > > > > diff --git a/drivers/crypto/Makefile b/drivers/crypto/Makefile > > > > index ad7250f..bc53cb8 100644 > > > > --- a/drivers/crypto/Makefile > > > > +++ b/drivers/crypto/Makefile > > > > @@ -32,3