Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-15925

[RFE] Ability to disable non-etm MACs

    • crypto-policies-20231109-1.git0ceff7f.el9
    • 1
    • sst_security_crypto
    • 13
    • 4
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto23Q4
    • Hide

      1. DEFAULT policy has the same MACs as before, ETM and non-ETM (and implicit, but that's not controlled by macs option)
      2. FIPS:OSPP uses etm@ssh = DISABLE_ETM has only non-ETM macs as before (and implicit)
      3. specifying etm@ssh = DISABLE_NON_ETM and has ETM macs (and implicit)
      4. ssh_etm = 1 works as before and outputs a deprecation warning
      5. ssh_etm = 0 works as before and outputs a deprecation warning
      6. it's documented in the manpages that the option is only meant to be used with the SSH scope

      Show
      1. DEFAULT policy has the same MACs as before, ETM and non-ETM (and implicit, but that's not controlled by macs option) 2. FIPS:OSPP uses etm@ssh = DISABLE_ETM has only non-ETM macs as before (and implicit) 3. specifying etm@ssh = DISABLE_NON_ETM and has ETM macs (and implicit) 4. ssh_etm = 1 works as before and outputs a deprecation warning 5. ssh_etm = 0 works as before and outputs a deprecation warning 6. it's documented in the manpages that the option is only meant to be used with the SSH scope
    • Pass
    • Not Needed
    • Automated
    • Enhancement
    • Hide
      .Finer control over MACs in SSH with `crypto-policies`

      You can now set additional options for message authentication codes (MACs) for the SSH protocol in the system-wide cryptographic policies (`crypto-policies`). With this update, the `crypto-policies` option `ssh_etm` has been converted into a tri-state `etm@SSH` option. The previous `ssh_etm` option has been deprecated.

      You can now set `ssh_etm` to one of the following values:

      `ANY`:: Allows both `encrypt-then-mac` and `encrypt-and-mac` MACs.
      `DISABLE_ETM`:: Disallows `encrypt-then-mac` MACs.
      `DISABLE_NON_ETM`:: Disallows MACs that do not use `encrypt-then-mac`.

      Note that ciphers that use implicit MACs are always allowed because they use authenticated encryption.
      Show
      .Finer control over MACs in SSH with `crypto-policies` You can now set additional options for message authentication codes (MACs) for the SSH protocol in the system-wide cryptographic policies (`crypto-policies`). With this update, the `crypto-policies` option `ssh_etm` has been converted into a tri-state ` etm@SSH ` option. The previous `ssh_etm` option has been deprecated. You can now set `ssh_etm` to one of the following values: `ANY`:: Allows both `encrypt-then-mac` and `encrypt-and-mac` MACs. `DISABLE_ETM`:: Disallows `encrypt-then-mac` MACs. `DISABLE_NON_ETM`:: Disallows MACs that do not use `encrypt-then-mac`. Note that ciphers that use implicit MACs are always allowed because they use authenticated encryption.
    • Done
    • None

          omoris Ondrej Moris
          asosedki@redhat.com Alexander Sosedkin
          Ondrej Moris
          Alexander Sosedkin Alexander Sosedkin
          Ondrej Moris Ondrej Moris
          Mirek Jahoda Mirek Jahoda
          Votes:
          0 Vote for this issue
          Watchers:
          9 Start watching this issue

            Created:
            Updated:
            Resolved: