Once upon a time, Richard W.M. Jones <rjones@xxxxxxxxxx> said: > Previous tightening of crypto defaults caused problems with us > connecting to older ssh servers. I also have had trouble connecting to major vendor websites. The vendor response is just "works in Chrome and Firefox on Windows, must be your problem". > I am particularly interested / worried about sshd from RHEL 5, 6 & 7 > for virt-p2v and virt-v2v conversions. This broke before, requiring > us to advise users to set the global policy for the machine to LEGACY > (thus ironically weakening crypto for everything). > > Also I have some ancient network equipment that cannot be upgraded but > needs older ssh protocols. I can't connect to it from Fedora unless I > set the crypto policy to LEGACY. Yeah, the model in general seems a little broken to me, especially as I found the policies are implemented unevenly (IIRC my problem was OpenSSL couldn't connect but GnuTLS could for example), which just leads to confusion. I understand and approve of having good system-wide defaults, but there needs to be a way to connect to a specific site/device/whatever without having to lower the system-wide policy. For SSH, you can usually do that by adjusting the settings on a per-device basis on the command line or in ~/.ssh/config (setting PublickeyAcceptedKeyTypes, KexAlgorithms, HostKeyAlgorithms, and/or Ciphers as needed). I had to SSH to a FreeBSD 4.x server last year! So many SSH config options required... it had been up without a reboot since 2007 IIRC. I am very much not a UI/UX person, but Firefox and other browsers really could use a good way to override system crypto policy on a per-site basis. -- Chris Adams <linux@xxxxxxxxxxx> _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
