= Proposed Self Contained Change: OpenSSH Server Crypto Policy = https://fedoraproject.org/wiki/Changes/OpenSSH_Server_Crypto_Policy Change owner(s): * Jakub Jelen <jjelen AT redhat DOT com> OpenSSH clients follow the system-wide crypto policy since Fedora 26. This F27 change modifies the openssh server configuration to adhere to the system-wide policy. That will allow openssh server configuration to adapt to the multiple security levels offered system-wide. == Detailed Description == Currently, the set of cryptographic algorithms used in OpenSSH is defined by upstream and Fedora just inherits what upstream considers secure. If there are special requirements for the security, manual modifications of the configuration files is required, which also prevents package manager to update the configuration file with future updates and can possibly leave enabled insecure algorithms. Since Fedora 26 OpenSSH clients are following crypto policies defined system-wide using Include configuration option in the main ssh_config. We can not use the same method in the server, because OpenBSD did not accept yet the patch supporting the same in the server configuration (upstream bug) so we will work out other way of doing that without disrupting existing workflows. For more information about Crypto Policy, see the appropriate wiki page Changes/CryptoPolicy describing the concept in whole. == Scope == * Proposal owners: Create a replace script, that will replace predefined comment in the configuration with configuration generated according to current crypto policies. Make systemd trigger this script on restart. * Other developers: N/A (not a System Wide Change) * Release engineering: https://pagure.io/releng/issue/6915 * List of deliverables: N/A (not a System Wide Change) * Policies and guidelines: N/A (not a System Wide Change) * Trademark approval: N/A (not needed for this Change) -- Jan Kuřík Platform & Fedora Program Manager Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
