Ansible/ssh-hardening
1
0
Fork 0
Code Issues 9 Pull requests 1 Projects Releases Wiki Activity

Different crypto policies in RHEL&clones 7/8/9 and openSUSE (15.3)/15.4 #16

New issue
Open
opened 2023-03-17 07:19:49 +00:00 by svelt · 0 comments
svelt commented 2023-03-17 07:19:49 +00:00
Owner
Copy link

RHEL7:

  • no includes in /etc/ssh/sshd_config due to 7.4
  • Snippets have to go to /etc/ssh/sshd_config
  • classic config

RHEL8:

  • no includes in /etc/ssh/sshd_config, 8.0 knows "Include"
  • /usr/lib/systemd/system/sshd(@).service has EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
    • sets CRYPTO_POLICY=-o... -o...
    • command line: ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY
  • variable based crypto policy (old: RedHat crypto policy way)

RHEL9:

  • Include /etc/ssh/sshd_config.d/*.conf (8.7)
    • /etc/ssh/sshd_config.d/50-redhat.conf has /etc/ssh/sshd_config.d/50-redhat.conf
      • sshd_config-style snippet
  • settings based crypto policy (old: Fedora-template based)

openSUSE15.3:

  • no includes in /etc/ssh/sshd_config, 8.4 knows "Include"
  • classic config

openSUSE15.4:

  • no includes in /etc/ssh/sshd_config, 8.4 knows "Include"
  • /etc/crypto-policies/back-ends/opensshserver.config exists!
    • but NOT included anywhere!
  • classic config FIXME
RHEL7: * no includes in `/etc/ssh/sshd_config` due to 7.4 * Snippets have to go to `/etc/ssh/sshd_config` * **classic config** RHEL8: * no includes in `/etc/ssh/sshd_config`, 8.0 knows "Include" * `/usr/lib/systemd/system/sshd(@).service` has `EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config` * sets `CRYPTO_POLICY=-o... -o...` * command line: `ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY` * **variable based crypto policy** (old: RedHat crypto policy way) RHEL9: * `Include /etc/ssh/sshd_config.d/*.conf` (8.7) * `/etc/ssh/sshd_config.d/50-redhat.conf` has `/etc/ssh/sshd_config.d/50-redhat.conf ` * `sshd_config`-style snippet * **settings based crypto policy** (old: Fedora-template based) openSUSE15.3: * no includes in `/etc/ssh/sshd_config`, 8.4 knows "Include" * **classic config** openSUSE15.4: * no includes in `/etc/ssh/sshd_config`, 8.4 knows "Include" * `/etc/crypto-policies/back-ends/opensshserver.config` exists! * but NOT included anywhere! * **classic config** FIXME
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
devel
client
ed25519-only
v0.2
v0.1
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Ansible/ssh-hardening#16
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?