[RHEL-15925] [RFE] Ability to disable non-etm MACs

Type: Story
Resolution: Done-Errata
Priority: Major
Fix Version/s: rhel-9.4
Affects Version/s: rhel-9.4
Component/s: crypto-policies
Labels:
- Accepted
- CY23Q4

Fixed in Build:
crypto-policies-20231109-1.git0ceff7f.el9
Severity:
None
Epic Link:
CRYPTO-11831
sprint_count:
1

Pool Team:

rhel-sst-security-crypto

Internal Target Milestone:
13
Story Points:
4
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
Crypto23Q4

Acceptance Criteria:

Hide

1. DEFAULT policy has the same MACs as before, ETM and non-ETM (and implicit, but that's not controlled by macs option)
2. FIPS:OSPP uses etm@ssh = DISABLE_ETM has only non-ETM macs as before (and implicit)
3. specifying etm@ssh = DISABLE_NON_ETM and has ETM macs (and implicit)
4. ssh_etm = 1 works as before and outputs a deprecation warning
5. ssh_etm = 0 works as before and outputs a deprecation warning
6. it's documented in the manpages that the option is only meant to be used with the SSH scope

Show
1. DEFAULT policy has the same MACs as before, ETM and non-ETM (and implicit, but that's not controlled by macs option) 2. FIPS:OSPP uses etm@ssh = DISABLE_ETM has only non-ETM macs as before (and implicit) 3. specifying etm@ssh = DISABLE_NON_ETM and has ETM macs (and implicit) 4. ssh_etm = 1 works as before and outputs a deprecation warning 5. ssh_etm = 0 works as before and outputs a deprecation warning 6. it's documented in the manpages that the option is only meant to be used with the SSH scope
Test Plan:
https://tcms.engineering.redhat.com/plan/34117
Preliminary Testing:
Pass
Errata Link:
https://errata.devel.redhat.com/advisory/120978
Gating Tests:

Not Needed
Test Coverage:

Automated

Release Note Type:
Enhancement
Release Note Text:

Hide
.Finer control over MACs in SSH with `crypto-policies`

You can now set additional options for message authentication codes (MACs) for the SSH protocol in the system-wide cryptographic policies (`crypto-policies`). With this update, the `crypto-policies` option `ssh_etm` has been converted into a tri-state `etm@SSH` option. The previous `ssh_etm` option has been deprecated.

You can now set `ssh_etm` to one of the following values:

`ANY`:: Allows both `encrypt-then-mac` and `encrypt-and-mac` MACs.
`DISABLE_ETM`:: Disallows `encrypt-then-mac` MACs.
`DISABLE_NON_ETM`:: Disallows MACs that do not use `encrypt-then-mac`.

Note that ciphers that use implicit MACs are always allowed because they use authenticated encryption.

Show
.Finer control over MACs in SSH with `crypto-policies` You can now set additional options for message authentication codes (MACs) for the SSH protocol in the system-wide cryptographic policies (`crypto-policies`). With this update, the `crypto-policies` option `ssh_etm` has been converted into a tri-state ` etm@SSH ` option. The previous `ssh_etm` option has been deprecated. You can now set `ssh_etm` to one of the following values: `ANY`:: Allows both `encrypt-then-mac` and `encrypt-and-mac` MACs. `DISABLE_ETM`:: Disallows `encrypt-then-mac` MACs. `DISABLE_NON_ETM`:: Disallows MACs that do not use `encrypt-then-mac`. Note that ciphers that use implicit MACs are always allowed because they use authenticated encryption.
Release Note Status:
Done

Experience:

PX Impact Score:
PX Priority Data:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

https://bugzilla.redhat.com/show_bug.cgi?id=2164847

links to

RHEA-2023:120978 crypto-policies enhancement update

Test Requirement (RHSEC-6550)

mentioned on

Commit - Update from upstream (chroot fips-mode-setup, etm@SSH)

Merge request - Update from upstream (scoped ssh_etm, deprecation warnings)

Errata Tool added a comment - 2024/04/30 10:16 AM

Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (crypto-policies bug fix and enhancement update), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2024:2400

Errata Tool added a comment - 2024/04/30 10:16 AM Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (crypto-policies bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2024:2400

Clemens Lang added a comment - 2024/03/22 3:38 PM

jafiala@redhat.com Looks good to me.

Clemens Lang added a comment - 2024/03/22 3:38 PM jafiala@redhat.com Looks good to me.

Alexander Sosedkin added a comment - 2024/03/22 3:35 PM

Reviewed, doc text is OK.

Alexander Sosedkin added a comment - 2024/03/22 3:35 PM Reviewed, doc text is OK.

Jan Fiala added a comment - 2024/03/19 3:34 PM

Hi asosedki@redhat.com, I adjusted the doctext for the release note. Please review if it's accurate.
Check specifically the last sentence, I changed the word order to make it easier to read, but there might be an unintended change in meaning.

Jan Fiala added a comment - 2024/03/19 3:34 PM Hi asosedki@redhat.com , I adjusted the doctext for the release note. Please review if it's accurate. Check specifically the last sentence, I changed the word order to make it easier to read, but there might be an unintended change in meaning.

Gabriela Fialova added a comment - 2024/01/19 3:03 PM

This enhancement has been added into the tickets.yaml file for RHEL 9.4 Beta release notes.

Gabriela Fialova added a comment - 2024/01/19 3:03 PM This enhancement has been added into the tickets.yaml file for RHEL 9.4 Beta release notes.

Ondrej Moris added a comment - 2023/11/24 8:49 AM

Successfully verified with crypto-policies-20231113-1.gite9247c2.el9.

1. DEFAULT policy has the same MACs as before, ETM and non-ETM

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   1. DEFAULT policy has all MACs (same as in 9.3)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 14:45:37 ] :: [   PASS   ] :: Command 'update-crypto-policies --set DEFAULT' (Expected 0, got 0)
:: [ 14:45:37 ] :: [   PASS   ] :: libssh (Expected 0, got 0)
:: [ 14:45:37 ] :: [   PASS   ] :: openssl client (Expected 0, got 0)
:: [ 14:45:38 ] :: [   PASS   ] :: openssh server (Expected 0, got 0)
:: [ 14:45:38 ] :: [   PASS   ] :: Command 'update-crypto-policies --set DEFAULT:ETM_ANY' (Expected 0, got 0)
:: [ 14:45:38 ] :: [   PASS   ] :: libssh (Expected 0, got 0)
:: [ 14:45:38 ] :: [   PASS   ] :: openssl client (Expected 0, got 0)
:: [ 14:45:38 ] :: [   PASS   ] :: openssh server (Expected 0, got 0)
:: [ 14:45:39 ] :: [   PASS   ] :: Command 'update-crypto-policies --set DEFAULT' (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 2s
::   Assertions: 9 good, 0 bad
::   RESULT: PASS (1. DEFAULT policy has all MACs (same as in 9.3))

2. FIPS:OSPP uses etm@ssh = DISABLE_ETM has only non-ETM macs as before

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   2. FIPS:OSPP uses etm@ssh = DISABLE_ETM, only non-ETM MACs (same as in 9.3)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 14:45:41 ] :: [   PASS   ] :: Command 'update-crypto-policies --set FIPS:OSPP' (Expected 0, got 0)
:: [ 14:45:41 ] :: [   PASS   ] :: Command 'grep 'etm@libssh = DISABLE_ETM' /etc/crypto-policies/state/CURRENT.pol' (Expected 0, got 0)
:: [ 14:45:41 ] :: [   PASS   ] :: Command 'grep 'etm@openssh-client = DISABLE_ETM' /etc/crypto-policies/state/CURRENT.pol' (Expected 0, got 0)
:: [ 14:45:42 ] :: [   PASS   ] :: Command 'grep 'etm@openssh-server = DISABLE_ETM' /etc/crypto-policies/state/CURRENT.pol' (Expected 0, got 0)
:: [ 14:45:42 ] :: [   PASS   ] :: libssh (Expected 0, got 0)
:: [ 14:45:42 ] :: [   PASS   ] :: openssl client (Expected 0, got 0)
:: [ 14:45:42 ] :: [   PASS   ] :: openssh server (Expected 0, got 0)
:: [ 14:45:42 ] :: [   PASS   ] :: Command 'update-crypto-policies --set DEFAULT:DISABLE_ETM' (Expected 0, got 0)
:: [ 14:45:42 ] :: [   PASS   ] :: libssh (Expected 0, got 0)
:: [ 14:45:42 ] :: [   PASS   ] :: openssl client (Expected 0, got 0)
:: [ 14:45:42 ] :: [   PASS   ] :: openssh server (Expected 0, got 0)
:: [ 14:45:43 ] :: [   PASS   ] :: Command 'update-crypto-policies --set DEFAULT' (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 2s
::   Assertions: 12 good, 0 bad
::   RESULT: PASS (2. FIPS:OSPP uses etm@ssh = DISABLE_ETM, only non-ETM MACs (same as in 9.3))

3. specifying etm@ssh = DISABLE_NON_ETM has ETM macs

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   3. specifying etm@ssh = DISABLE_NON_ETM and no non-ETM MACs
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 14:45:45 ] :: [   PASS   ] :: Command 'update-crypto-policies --set DEFAULT:DISABLE_NON_ETM' (Expected 0, got 0)
:: [ 14:45:45 ] :: [   PASS   ] :: libssh (Expected 0, got 0)
:: [ 14:45:45 ] :: [   PASS   ] :: openssl client (Expected 0, got 0)
:: [ 14:45:45 ] :: [   PASS   ] :: openssh server (Expected 0, got 0)
:: [ 14:45:46 ] :: [   PASS   ] :: Command 'update-crypto-policies --set DEFAULT' (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 1s
::   Assertions: 5 good, 0 bad
::   RESULT: PASS (3. specifying etm@ssh = DISABLE_NON_ETM and has no non-ETM MACs)

4. ssh_etm = 1 works as before and outputs a deprecation warning

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   4. ssh_etm = 1 works as before and outputs a deprecation warning
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 14:45:50 ] :: [   PASS   ] :: Command 'update-crypto-policies --set DEFAULT:SSH_ETM_1' (Expected 0, got 0)
:: [ 14:45:50 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.5FpHmtJM' should contain 'PolicySyntaxDeprecationWarning: Option ssh_etm = 1 is deprecated' 
:: [ 14:45:50 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.5FpHmtJM' should contain 'please rewrite your rules using etm@ssh = any;' 
:: [ 14:45:50 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.5FpHmtJM' should contain 'be advised that it is not always a 1-1 replacement' 
:: [ 14:45:50 ] :: [   PASS   ] :: libssh (Expected 0, got 0)
:: [ 14:45:50 ] :: [   PASS   ] :: openssl client (Expected 0, got 0)
:: [ 14:45:50 ] :: [   PASS   ] :: openssh server (Expected 0, got 0)
:: [ 14:45:50 ] :: [   PASS   ] :: Command 'update-crypto-policies --set DEFAULT' (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 2s
::   Assertions: 8 good, 0 bad
::   RESULT: PASS (4. ssh_etm = 1 works as before and outputs a deprecation warning)

5. ssh_etm = 0 works as before and outputs a deprecation warning

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   5. ssh_etm = 0 works as before and outputs a deprecation warning
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 14:45:53 ] :: [   PASS   ] :: Command 'update-crypto-policies --set DEFAULT:SSH_ETM_0' (Expected 0, got 0)
:: [ 14:45:53 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.gCgnMXl8' should contain 'PolicySyntaxDeprecationWarning: Option ssh_etm = 0 is deprecated' 
:: [ 14:45:53 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.gCgnMXl8' should contain 'please rewrite your rules using etm@ssh = DISABLE_ETM;' 
:: [ 14:45:53 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.gCgnMXl8' should contain 'be advised that it is not always a 1-1 replacement' 
:: [ 14:45:53 ] :: [   PASS   ] :: libssh (Expected 0, got 0)
:: [ 14:45:53 ] :: [   PASS   ] :: openssl client (Expected 0, got 0)
:: [ 14:45:53 ] :: [   PASS   ] :: openssh server (Expected 0, got 0)
:: [ 14:45:53 ] :: [   PASS   ] :: Command 'update-crypto-policies --set DEFAULT' (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 1s
::   Assertions: 8 good, 0 bad
::   RESULT: PASS (5. ssh_etm = 0 works as before and outputs a deprecation warning)

6. it's documented in the manpages that the option is only meant to be used with the SSH scope

# man crypto-policies
...
etm: ANY/DISABLE_ETM/DISABLE_NON_ETM allows both EtM (Encrypt-then-Mac) and E&M (Encrypt-and-Mac), disables EtM, and disables E&M respectively.                         
(Currently only implemented for SSH, do not use without @SSH scope.)

For more details see results of TC#615980 in TR#435554.

Ondrej Moris added a comment - 2023/11/24 8:49 AM Successfully verified with crypto-policies-20231113-1.gite9247c2.el9. 1. DEFAULT policy has the same MACs as before, ETM and non-ETM :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: 1. DEFAULT policy has all MACs (same as in 9.3) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 14:45:37 ] :: [ PASS ] :: Command 'update-crypto-policies --set DEFAULT' (Expected 0, got 0) :: [ 14:45:37 ] :: [ PASS ] :: libssh (Expected 0, got 0) :: [ 14:45:37 ] :: [ PASS ] :: openssl client (Expected 0, got 0) :: [ 14:45:38 ] :: [ PASS ] :: openssh server (Expected 0, got 0) :: [ 14:45:38 ] :: [ PASS ] :: Command 'update-crypto-policies --set DEFAULT:ETM_ANY' (Expected 0, got 0) :: [ 14:45:38 ] :: [ PASS ] :: libssh (Expected 0, got 0) :: [ 14:45:38 ] :: [ PASS ] :: openssl client (Expected 0, got 0) :: [ 14:45:38 ] :: [ PASS ] :: openssh server (Expected 0, got 0) :: [ 14:45:39 ] :: [ PASS ] :: Command 'update-crypto-policies --set DEFAULT' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 9 good, 0 bad :: RESULT: PASS (1. DEFAULT policy has all MACs (same as in 9.3)) 2. FIPS:OSPP uses etm@ssh = DISABLE_ETM has only non-ETM macs as before :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: 2. FIPS:OSPP uses etm@ssh = DISABLE_ETM, only non-ETM MACs (same as in 9.3) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 14:45:41 ] :: [ PASS ] :: Command 'update-crypto-policies --set FIPS:OSPP' (Expected 0, got 0) :: [ 14:45:41 ] :: [ PASS ] :: Command 'grep 'etm@libssh = DISABLE_ETM' /etc/crypto-policies/state/CURRENT.pol' (Expected 0, got 0) :: [ 14:45:41 ] :: [ PASS ] :: Command 'grep 'etm@openssh-client = DISABLE_ETM' /etc/crypto-policies/state/CURRENT.pol' (Expected 0, got 0) :: [ 14:45:42 ] :: [ PASS ] :: Command 'grep 'etm@openssh-server = DISABLE_ETM' /etc/crypto-policies/state/CURRENT.pol' (Expected 0, got 0) :: [ 14:45:42 ] :: [ PASS ] :: libssh (Expected 0, got 0) :: [ 14:45:42 ] :: [ PASS ] :: openssl client (Expected 0, got 0) :: [ 14:45:42 ] :: [ PASS ] :: openssh server (Expected 0, got 0) :: [ 14:45:42 ] :: [ PASS ] :: Command 'update-crypto-policies --set DEFAULT:DISABLE_ETM' (Expected 0, got 0) :: [ 14:45:42 ] :: [ PASS ] :: libssh (Expected 0, got 0) :: [ 14:45:42 ] :: [ PASS ] :: openssl client (Expected 0, got 0) :: [ 14:45:42 ] :: [ PASS ] :: openssh server (Expected 0, got 0) :: [ 14:45:43 ] :: [ PASS ] :: Command 'update-crypto-policies --set DEFAULT' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 12 good, 0 bad :: RESULT: PASS (2. FIPS:OSPP uses etm@ssh = DISABLE_ETM, only non-ETM MACs (same as in 9.3)) 3. specifying etm@ssh = DISABLE_NON_ETM has ETM macs :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: 3. specifying etm@ssh = DISABLE_NON_ETM and no non-ETM MACs :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 14:45:45 ] :: [ PASS ] :: Command 'update-crypto-policies --set DEFAULT:DISABLE_NON_ETM' (Expected 0, got 0) :: [ 14:45:45 ] :: [ PASS ] :: libssh (Expected 0, got 0) :: [ 14:45:45 ] :: [ PASS ] :: openssl client (Expected 0, got 0) :: [ 14:45:45 ] :: [ PASS ] :: openssh server (Expected 0, got 0) :: [ 14:45:46 ] :: [ PASS ] :: Command 'update-crypto-policies --set DEFAULT' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 5 good, 0 bad :: RESULT: PASS (3. specifying etm@ssh = DISABLE_NON_ETM and has no non-ETM MACs) 4. ssh_etm = 1 works as before and outputs a deprecation warning :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: 4. ssh_etm = 1 works as before and outputs a deprecation warning :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 14:45:50 ] :: [ PASS ] :: Command 'update-crypto-policies --set DEFAULT:SSH_ETM_1' (Expected 0, got 0) :: [ 14:45:50 ] :: [ PASS ] :: File '/var/tmp/rlRun_LOG.5FpHmtJM' should contain 'PolicySyntaxDeprecationWarning: Option ssh_etm = 1 is deprecated' :: [ 14:45:50 ] :: [ PASS ] :: File '/var/tmp/rlRun_LOG.5FpHmtJM' should contain 'please rewrite your rules using etm@ssh = any;' :: [ 14:45:50 ] :: [ PASS ] :: File '/var/tmp/rlRun_LOG.5FpHmtJM' should contain 'be advised that it is not always a 1-1 replacement' :: [ 14:45:50 ] :: [ PASS ] :: libssh (Expected 0, got 0) :: [ 14:45:50 ] :: [ PASS ] :: openssl client (Expected 0, got 0) :: [ 14:45:50 ] :: [ PASS ] :: openssh server (Expected 0, got 0) :: [ 14:45:50 ] :: [ PASS ] :: Command 'update-crypto-policies --set DEFAULT' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 2s :: Assertions: 8 good, 0 bad :: RESULT: PASS (4. ssh_etm = 1 works as before and outputs a deprecation warning) 5. ssh_etm = 0 works as before and outputs a deprecation warning :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: 5. ssh_etm = 0 works as before and outputs a deprecation warning :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 14:45:53 ] :: [ PASS ] :: Command 'update-crypto-policies --set DEFAULT:SSH_ETM_0' (Expected 0, got 0) :: [ 14:45:53 ] :: [ PASS ] :: File '/var/tmp/rlRun_LOG.gCgnMXl8' should contain 'PolicySyntaxDeprecationWarning: Option ssh_etm = 0 is deprecated' :: [ 14:45:53 ] :: [ PASS ] :: File '/var/tmp/rlRun_LOG.gCgnMXl8' should contain 'please rewrite your rules using etm@ssh = DISABLE_ETM;' :: [ 14:45:53 ] :: [ PASS ] :: File '/var/tmp/rlRun_LOG.gCgnMXl8' should contain 'be advised that it is not always a 1-1 replacement' :: [ 14:45:53 ] :: [ PASS ] :: libssh (Expected 0, got 0) :: [ 14:45:53 ] :: [ PASS ] :: openssl client (Expected 0, got 0) :: [ 14:45:53 ] :: [ PASS ] :: openssh server (Expected 0, got 0) :: [ 14:45:53 ] :: [ PASS ] :: Command 'update-crypto-policies --set DEFAULT' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 8 good, 0 bad :: RESULT: PASS (5. ssh_etm = 0 works as before and outputs a deprecation warning) 6. it's documented in the manpages that the option is only meant to be used with the SSH scope # man crypto-policies ... etm: ANY/DISABLE_ETM/DISABLE_NON_ETM allows both EtM (Encrypt-then-Mac) and E&M (Encrypt-and-Mac), disables EtM, and disables E&M respectively. (Currently only implemented for SSH, do not use without @SSH scope.) For more details see results of TC#615980 in TR#435554 .

gitlab-bot added a comment - 2023/11/09 11:52 AM

Clemens Lang mentioned this issue in a merge request of Red Hat / centos-stream / rpms / crypto-policies on branch c9s-rhel-15925-fixes:

Update from upstream (scoped ssh_etm, deprecation warnings)

gitlab-bot added a comment - 2023/11/09 11:52 AM Clemens Lang mentioned this issue in a merge request of Red Hat / centos-stream / rpms / crypto-policies on branch c9s-rhel-15925-fixes : Update from upstream (scoped ssh_etm, deprecation warnings)

gitlab-bot added a comment - 2023/11/08 1:55 PM

Clemens Lang mentioned this issue in a commit of Red Hat / centos-stream / rpms / crypto-policies on branch c10s:

Update from upstream (chroot fips-mode-setup, etm@SSH)

gitlab-bot added a comment - 2023/11/08 1:55 PM Clemens Lang mentioned this issue in a commit of Red Hat / centos-stream / rpms / crypto-policies on branch c10s : Update from upstream (chroot fips-mode-setup, etm@SSH)

Assignee:: Ondrej Moris

Reporter:: Alexander Sosedkin

Need Info From:: Ondrej Moris

Developer:: Alexander Sosedkin

QA Contact:: Ondrej Moris

Doc Contact:: Mirek Jahoda

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2023/11/07 3:18 PM

Updated:: 2024/06/19 1:54 PM

Resolved:: 2024/04/30 10:16 AM

Target end:: 2023/11/27

Release Date:: 2024/04/30

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Errata Tool added a comment - 2024/04/30 10:16 AM

Expand comment: Errata Tool added a comment - 2024/04/30 10:16 AM

Collapse comment: Clemens Lang added a comment - 2024/03/22 3:38 PM

Expand comment: Clemens Lang added a comment - 2024/03/22 3:38 PM

Collapse comment: Alexander Sosedkin added a comment - 2024/03/22 3:35 PM

Expand comment: Alexander Sosedkin added a comment - 2024/03/22 3:35 PM

Collapse comment: Jan Fiala added a comment - 2024/03/19 3:34 PM

Expand comment: Jan Fiala added a comment - 2024/03/19 3:34 PM

Collapse comment: Gabriela Fialova added a comment - 2024/01/19 3:03 PM

Expand comment: Gabriela Fialova added a comment - 2024/01/19 3:03 PM

Collapse comment: Ondrej Moris added a comment - 2023/11/24 8:49 AM

1. DEFAULT policy has the same MACs as before, ETM and non-ETM

2. FIPS:OSPP uses etm@ssh = DISABLE_ETM has only non-ETM macs as before

3. specifying etm@ssh = DISABLE_NON_ETM has ETM macs

4. ssh_etm = 1 works as before and outputs a deprecation warning

5. ssh_etm = 0 works as before and outputs a deprecation warning

6. it's documented in the manpages that the option is only meant to be used with the SSH scope

Expand comment: Ondrej Moris added a comment - 2023/11/24 8:49 AM

Collapse comment: gitlab-bot added a comment - 2023/11/09 11:52 AM

Expand comment: gitlab-bot added a comment - 2023/11/09 11:52 AM

Collapse comment: gitlab-bot added a comment - 2023/11/08 1:55 PM

Expand comment: gitlab-bot added a comment - 2023/11/08 1:55 PM

People

Dates