Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-19427

OpenSSH client opt out of system-wide crypto policies isn't possible for SHA1

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • rhel-9.3.0
    • crypto-policies
    • None
    • None
    • Moderate
    • rhel-security-crypto
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      In 3.7.1 Examples of opting out of system-wide crypto policies we explain that OpenSSH client can opt out of crypto policies:

      To opt out of system-wide cryptographic policies for your OpenSSH client, perform one of the following tasks:

- For a given user, override the global ssh_config with a user-specific configuration in the ~/.ssh/config file.
- For the entire system, specify the cryptographic policy in a drop-in configuration file located in the /etc/ssh/ssh_config.d/ directory, with a two-digit number prefix smaller than 50, so that it lexicographically precedes the 50-redhat.conf file, and with a .conf suffix, for example, 49-crypto-policy-override.conf.

      But this doesn't always work, in particular when wanting to get back SHA1, because SHA1 needs to also be enabled in OpenSSL.
      See use case RHEL-19389.

      Please provide the package NVR for which bug is seen:

      Security hardening Guide as of Dec 14, 2023

              asosedki@redhat.com Alexander Sosedkin
              rhn-support-rmetrich Renaud Métrich
              Alexander Sosedkin Alexander Sosedkin
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: