Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1225752
Summary: | openssh should follow the policies of system-wide crypto policy | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nikos Mavrogiannopoulos <nmavrogi> |
Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 26 | CC: | jjelen, mattias.ellert, mgrepl, plautrba, riehecky, tmraz |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openssh-7.3p1-4.fc25 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-12-18 11:21:05 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1479271 | ||
Bug Blocks: | 1179209 |
Description
Nikos Mavrogiannopoulos
2015-05-28 07:49:06 UTC
The main idea is to remove the administrator of the burden of coping with ciphers, e.g., to apply settings recommended in https://bettercrypto.org/static/applied-crypto-hardening.pdf This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle. Changing version to '23'. (As we did not run this process for some time, it could affect also pre-Fedora 23 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23 To sum things up. From my point of view, the include feature sounds reasonable for system-wide crypto policy and also drop-in directory will solve other packaging issues in Fedora. This topic is part of several upstream bugs: 1613, 2146 and 1585. Main concern was about client config include, but creating server version also makes sense for us and for other tools. I created few patches and upstream bugs targeting this issue: * broken glob(): https://bugzilla.mindrot.org/show_bug.cgi?id=2463 * include in ssh: https://bugzilla.mindrot.org/show_bug.cgi?id=1585 * include in sshd: https://bugzilla.mindrot.org/show_bug.cgi?id=2468 Finally I created copr repo with latest openssh build together with these patches to give it some more testing, before upstream will consider this feature or we will decide we want it in Rawhide regardless upstream resolution: https://copr.fedoraproject.org/coprs/jjelen/openssh-include/ Update status of include support in openssh: * broken glob(): RESOLVED in openssh-7.2 (F23) * include in ssh: upstream proposed a new patch * include in sshd: no update Future thoughts from recent discussion: * RSAMinModulusSize: configuration option for ssh and sshd * SSH_RSA_MINIMUM_MODULUS_SIZE (currently 768) * value will increase to 1024 in openssh-7.3 * DHMinGroup: configuration option for ssh and sshd * DH_GRP_MIN 1024 * DH_GRP_MIN_FIPS 2048 This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'. The client side will be in Fedora 26 [1] and soon in rawhide to test. Still leaving open for the server side, which has updated patch already in the upstream bugzilla [2] (with same semantics as the client side). It is the last thing blocking us from implementing the policy on the server side too. [1] https://fedoraproject.org/wiki/Changes/OpenSSH_Crypto_Policy [2] https://bugzilla.mindrot.org/show_bug.cgi?id=2468 openssh-7.3p1-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-94293f91e8 openssh-7.3p1-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. Reopening for server side. This functionality is still missing from upstream OpenSSH as mentioned in the comment #6. This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'. This seems to be addressed by 1479271 |