On 3/10/21 6:58 PM, Daniel Pocock wrote:
Hi all,
I put some comments on the OpenSSH mailing list[1] about UpdateHostKeys
and other SHA-1 related changes.
The OpenSSH release notes simply tell people to update OpenSSH. In
practice, people who use distributions like Fedora, RHEL and CentOS are
going to wait for a package. Security conscious users who can't
completely disable ssh may use the MACs parameter in ssh_config,
sshd_config or both.
What does it mean from a Fedora perspective? For example:
- did anybody already write any wiki page, FAQ or guide for Fedora users
to navigate the SHA-1 issue in SSH?
- will Fedora be more proactive than upstream in disabling SHA-1 or will
Fedora simply follow the timeline from upstream?
Regards,
Daniel
1.
https://lists.mindrot.org/pipermail/openssh-unix-dev/2021-March/039194.html
Hi,
Fedora disabled RSA with SHA1 in Fedora 33. Previously, we did the same
thing in FIPS mode.
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
I see that most of the myths and wrong assumptions were already busted
and your questions answered. Please, let me know if something is still
unclear.
We do not have separate wiki page about SSH, but you are welcomed to
create one if you would find to have the information summarized. The
hard stuff is keeping it up to date.
Maybe even better place for this would be a system administrator guide,
which has already a section about OpenSSH, which I was recently updating
to current version:
https://pagure.io/fedora-docs/system-administrators-guide
Regards,
--
Jakub Jelen
Senior Software Engineer
Crypto Team, Security Engineering
Red Hat, Inc.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure