Re: OpenSSH SHA-1 deprecation, developing FAQ, etc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 3/10/21 6:58 PM, Daniel Pocock wrote:


Hi all,

I put some comments on the OpenSSH mailing list[1] about UpdateHostKeys
and other SHA-1 related changes.

The OpenSSH release notes simply tell people to update OpenSSH.  In
practice, people who use distributions like Fedora, RHEL and CentOS are
going to wait for a package.  Security conscious users who can't
completely disable ssh may use the MACs parameter in ssh_config,
sshd_config or both.

What does it mean from a Fedora perspective?  For example:

- did anybody already write any wiki page, FAQ or guide for Fedora users
to navigate the SHA-1 issue in SSH?

- will Fedora be more proactive than upstream in disabling SHA-1 or will
Fedora simply follow the timeline from upstream?

Regards,

Daniel


1.
https://lists.mindrot.org/pipermail/openssh-unix-dev/2021-March/039194.html


Hi,
Fedora disabled RSA with SHA1 in Fedora 33. Previously, we did the same thing in FIPS mode. 

https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
I see that most of the myths and wrong assumptions were already busted and your questions answered. Please, let me know if something is still unclear.
We do not have separate wiki page about SSH, but you are welcomed to create one if you would find to have the information summarized. The hard stuff is keeping it up to date.
Maybe even better place for this would be a system administrator guide, which has already a section about OpenSSH, which I was recently updating to current version: 

https://pagure.io/fedora-docs/system-administrators-guide

Regards,
--
Jakub Jelen
Senior Software Engineer
Crypto Team, Security Engineering
Red Hat, Inc.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux