On Mon, Sep 9, 2024 at 4:55 PM kevin martin <ktmdms@xxxxxxxxx> wrote: > using "update-crypt-policies --set DEFAULT" allows the connectivity > to work again. If so, it means that your Linux team set the policy to something other than DEFAULT—likely FUTURE, or a custom policy that they created. Overriding the policy back to DEFAULT will enable not just SHA-1, but likely many other encryption and hash algorithms that your Security team may have declared to be non-compliant and verboten. If your Security team’s decisions are being driven by a requirement to comply with third-party security policies that your customers/sponsors require (NIST SP 800-171 is a common one), then throwing your host out of compliance could have legal repercussions (1). The correct thing to do here is *not* to change the policy to DEFAULT because that is the easiest thing that works, but to instead ask your Linux team how to enable SHA-1 support (at least within OpenSSL) within the system-wide cryptographic policy that they have selected. (1) https://www.theregister.com/2024/08/23/us_georgia_tech_lawsuit/ _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
