From 0ce6c7b71060e3b0a12d1a19a40d0ef4c03aa3a5 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 9 Aug 2017 15:14:13 +0200 Subject: [PATCH] Another approach for crypto policies (#1479271) --- openssh-6.6p1-redhat.patch | 11 ++++++++++- sshd.service | 3 ++- sshd.sysconfig | 4 ++++ sshd@.service | 3 ++- 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/openssh-6.6p1-redhat.patch b/openssh-6.6p1-redhat.patch index 818858a..426ba66 100644 --- a/openssh-6.6p1-redhat.patch +++ b/openssh-6.6p1-redhat.patch @@ -64,7 +64,7 @@ diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5 diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config --- openssh-7.4p1/sshd_config.redhat 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/sshd_config 2016-12-23 13:33:05.386233133 +0100 -@@ -10,21 +10,26 @@ +@@ -10,21 +10,35 @@ # possible, but leave them commented. Uncommented options override the # default value. @@ -88,6 +88,15 @@ diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config # Ciphers and keying #RekeyLimit default none ++# System-wide Crypto policy: ++# If this system is following system-wide crypto policy, the changes to ++# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any ++# effect here. They will be overridden by command-line options passed on ++# the server start up. ++# To opt out, uncomment a line with redefinition of CRYPTO_POLICY= ++# variable in /etc/sysconfig/sshd to overwrite the policy. ++# For more information, see manual page for update-crypto-policies(8). ++ # Logging #SyslogFacility AUTH +SyslogFacility AUTHPRIV diff --git a/sshd.service b/sshd.service index e8afb86..30752c2 100644 --- a/sshd.service +++ b/sshd.service @@ -6,8 +6,9 @@ Wants=sshd-keygen.target [Service] Type=notify +EnvironmentFile=-/etc/crypto-policies/back-ends/openssh-server.config EnvironmentFile=-/etc/sysconfig/sshd -ExecStart=/usr/sbin/sshd -D $OPTIONS +ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure diff --git a/sshd.sysconfig b/sshd.sysconfig index 2d08984..de7f0c6 100644 --- a/sshd.sysconfig +++ b/sshd.sysconfig @@ -11,3 +11,7 @@ SSH_USE_STRONG_RNG=0 # SSH_USE_STRONG_RNG=1 + +# System-wide crypto policy: +# To opt-out, uncomment the following line +# CRYPTO_POLICY= diff --git a/sshd@.service b/sshd@.service index 196c555..c685f42 100644 --- a/sshd@.service +++ b/sshd@.service @@ -5,6 +5,7 @@ Wants=sshd-keygen.target After=sshd-keygen.target [Service] +EnvironmentFile=-/etc/crypto-policies/back-ends/openssh-server.config EnvironmentFile=-/etc/sysconfig/sshd -ExecStart=-/usr/sbin/sshd -i $OPTIONS +ExecStart=-/usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY StandardInput=socket