1483998 – (rhel81-crypto-policies-libssh) libssh client: follow the policies of system-wide crypto policy

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1483998 (rhel81-crypto-policies-libssh) - libssh client: follow the policies of system-wide crypto policy

Summary: libssh client: follow the policies of system-wide crypto policy

Keywords:
Status:	CLOSED RAWHIDE
Alias:	rhel81-crypto-policies-libssh
Product:	Fedora
Classification:	Fedora
Component:	libssh
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Anderson Sasaki
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	fedora-crypto-policies 1610883 1635111
TreeView+	depends on / blocked

Reported:	2017-08-22 12:43 UTC by Nikos Mavrogiannopoulos
Modified:	2019-06-28 09:48 UTC (History)
CC List:	4 users (show)
Fixed In Version:	libssh-0.9.0-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1610883 (view as bug list)
Environment:
Last Closed:	2019-06-28 09:48:43 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Support include files (11.06 KB, patch) 2017-08-24 13:50 UTC, Nikos Mavrogiannopoulos	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1225752	0	unspecified	CLOSED	openssh should follow the policies of system-wide crypto policy	2022-05-16 11:32:56 UTC

Description Nikos Mavrogiannopoulos 2017-08-22 12:43:56 UTC

Please utilize the system's crypto policy for enabled by default ciphers:
https://fedoraproject.org/wiki/Packaging:CryptoPolicies

As it is now libssh's configuration is provided per application using ssh_options_parse_config() making the administrator/user responsible any enabled ciphers, and in case of software upgrades to keep up-to-date the list of available ciphers allowed, parameters etc.

It would align more to the fedora system-wide policy directions if the library could apply some default settings based on the system policy when the user doesn't override/set a config file. For example fallback into reading a global configuration file in case the user doesn't have one (e.g., /etc/crypto-policies/back-ends/openssh.config).

Comment 1 Nikos Mavrogiannopoulos 2017-08-24 11:26:29 UTC

It seems the code already falls back to read /etc/ssh/ssh_config when no filename is set, or no user config exists. However, in Fedora we use Include directives on the configuration file, which in turn include /etc/ssh/ssh_config.d/05-redhat.conf and this includes /etc/crypto-policies/back-ends/openssh.config.

So this is pretty much an RFE to support recursive including of files.

Comment 2 Nikos Mavrogiannopoulos 2017-08-24 13:50:57 UTC

Created attachment 1317699 [details]
Support include files

Note You need to log in before you can comment on or make changes to this bug.