Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-15925

[RFE] Ability to disable non-etm MACs

XMLWordPrintable

    • crypto-policies-20231109-1.git0ceff7f.el9
    • None
    • 1
    • rhel-sst-security-crypto
    • 13
    • 4
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto23Q4
    • Hide

      1. DEFAULT policy has the same MACs as before, ETM and non-ETM (and implicit, but that's not controlled by macs option)
      2. FIPS:OSPP uses etm@ssh = DISABLE_ETM has only non-ETM macs as before (and implicit)
      3. specifying etm@ssh = DISABLE_NON_ETM and has ETM macs (and implicit)
      4. ssh_etm = 1 works as before and outputs a deprecation warning
      5. ssh_etm = 0 works as before and outputs a deprecation warning
      6. it's documented in the manpages that the option is only meant to be used with the SSH scope

      Show
      1. DEFAULT policy has the same MACs as before, ETM and non-ETM (and implicit, but that's not controlled by macs option) 2. FIPS:OSPP uses etm@ssh = DISABLE_ETM has only non-ETM macs as before (and implicit) 3. specifying etm@ssh = DISABLE_NON_ETM and has ETM macs (and implicit) 4. ssh_etm = 1 works as before and outputs a deprecation warning 5. ssh_etm = 0 works as before and outputs a deprecation warning 6. it's documented in the manpages that the option is only meant to be used with the SSH scope
    • Pass
    • Not Needed
    • Automated
    • Enhancement
    • Hide
      .Finer control over MACs in SSH with `crypto-policies`

      You can now set additional options for message authentication codes (MACs) for the SSH protocol in the system-wide cryptographic policies (`crypto-policies`). With this update, the `crypto-policies` option `ssh_etm` has been converted into a tri-state `etm@SSH` option. The previous `ssh_etm` option has been deprecated.

      You can now set `ssh_etm` to one of the following values:

      `ANY`:: Allows both `encrypt-then-mac` and `encrypt-and-mac` MACs.
      `DISABLE_ETM`:: Disallows `encrypt-then-mac` MACs.
      `DISABLE_NON_ETM`:: Disallows MACs that do not use `encrypt-then-mac`.

      Note that ciphers that use implicit MACs are always allowed because they use authenticated encryption.
      Show
      .Finer control over MACs in SSH with `crypto-policies` You can now set additional options for message authentication codes (MACs) for the SSH protocol in the system-wide cryptographic policies (`crypto-policies`). With this update, the `crypto-policies` option `ssh_etm` has been converted into a tri-state ` etm@SSH ` option. The previous `ssh_etm` option has been deprecated. You can now set `ssh_etm` to one of the following values: `ANY`:: Allows both `encrypt-then-mac` and `encrypt-and-mac` MACs. `DISABLE_ETM`:: Disallows `encrypt-then-mac` MACs. `DISABLE_NON_ETM`:: Disallows MACs that do not use `encrypt-then-mac`. Note that ciphers that use implicit MACs are always allowed because they use authenticated encryption.
    • Done
    • None

              omoris Ondrej Moris
              asosedki@redhat.com Alexander Sosedkin
              Ondrej Moris
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: