On Mon, Sep 9, 2024 at 12:21 PM kevin martin <ktmdms@xxxxxxxxx> wrote: > well nuts. that, in fact, doesn't work. it appears that, based on an > strace, the order of reading for policies is personal .ssh/config, > /etc/ssh/ssh_config (and conf.d files), then crypto policies, with > the more restrictive policy being used. If the system-wide crypto policies module disables SHA-1, then you are not going to be able to override it at the application level. That’s the entire point of having *system-wide* crypto policies. You likely don’t need to change to the DEFAULT policy, as there is already a policy module for adding back in SHA-1 support. E.g., if you are using the FUTURE policy: $ update-crypto-policies --show FUTURE $ sudo update-crypto-policies --set FUTURE:SHA1 Setting system policy to FUTURE:SHA1 Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. But if your Linux team has rolled their own custom policy, you will need to work with them to update it to permit SHA1. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
