On Fri, 4 Oct 2019, Paul Heinlein wrote:
Is it possible to mix and match crypto policies using approved tools
in CentOS 8?
Our environment requires a LEGACY setting for OpenSSL so we can
maintain connections with our LDAP servers (which we cannot update
at this time), but I'd like especially the OpenSSH settings to use
the DEFAULT policy (and maybe even FUTURE on a test host or two).
I think it's possible to manually repoint the symbolic links in
/etc/crypto-policies/back-ends to achieve that result, and I'll set
up puppet rules if that's the only way to do so, but I'd prefer to
use a more canonical approach if one exists.
I received no replies to this query, so I hacked together a solution.
In case someone needs to know, it was essentially something like this:
# all operations run as root
update-crypto-policies --set LEGACY
systemctl reboot
# after system comes back online...
pushd /etc/crypto-policies/back-ends
# reconfigure SSH client operations using DEFAULT policy
rm openssh.config
ln -s /usr/share/crypto-policies/DEFAULT/openssh.txt \
openssh.config
# reconfigure sshd using DEFAULT policy and restart it
rm opensshserver.config
ln -s /usr/share/crypto-policies/DEFAULT/opensshserver.txt \
opensshserver.config
systemctl restart sshd.service
### voila
--
Paul Heinlein
heinlein@xxxxxxxxxx
45°38' N, 122°6' W
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
