forked from rpms/openssh
Another approach for crypto policies (#1479271)
This commit is contained in:
parent
970a418151
commit
0ce6c7b710
@ -64,7 +64,7 @@ diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5
|
|||||||
diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
|
diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
|
||||||
--- openssh-7.4p1/sshd_config.redhat 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-7.4p1/sshd_config.redhat 2016-12-19 05:59:41.000000000 +0100
|
||||||
+++ openssh-7.4p1/sshd_config 2016-12-23 13:33:05.386233133 +0100
|
+++ openssh-7.4p1/sshd_config 2016-12-23 13:33:05.386233133 +0100
|
||||||
@@ -10,21 +10,26 @@
|
@@ -10,21 +10,35 @@
|
||||||
# possible, but leave them commented. Uncommented options override the
|
# possible, but leave them commented. Uncommented options override the
|
||||||
# default value.
|
# default value.
|
||||||
|
|
||||||
@ -88,6 +88,15 @@ diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
|
|||||||
# Ciphers and keying
|
# Ciphers and keying
|
||||||
#RekeyLimit default none
|
#RekeyLimit default none
|
||||||
|
|
||||||
|
+# System-wide Crypto policy:
|
||||||
|
+# If this system is following system-wide crypto policy, the changes to
|
||||||
|
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
|
||||||
|
+# effect here. They will be overridden by command-line options passed on
|
||||||
|
+# the server start up.
|
||||||
|
+# To opt out, uncomment a line with redefinition of CRYPTO_POLICY=
|
||||||
|
+# variable in /etc/sysconfig/sshd to overwrite the policy.
|
||||||
|
+# For more information, see manual page for update-crypto-policies(8).
|
||||||
|
+
|
||||||
# Logging
|
# Logging
|
||||||
#SyslogFacility AUTH
|
#SyslogFacility AUTH
|
||||||
+SyslogFacility AUTHPRIV
|
+SyslogFacility AUTHPRIV
|
||||||
|
@ -6,8 +6,9 @@ Wants=sshd-keygen.target
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=notify
|
Type=notify
|
||||||
|
EnvironmentFile=-/etc/crypto-policies/back-ends/openssh-server.config
|
||||||
EnvironmentFile=-/etc/sysconfig/sshd
|
EnvironmentFile=-/etc/sysconfig/sshd
|
||||||
ExecStart=/usr/sbin/sshd -D $OPTIONS
|
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY
|
||||||
ExecReload=/bin/kill -HUP $MAINPID
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
KillMode=process
|
KillMode=process
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
|
@ -11,3 +11,7 @@
|
|||||||
|
|
||||||
SSH_USE_STRONG_RNG=0
|
SSH_USE_STRONG_RNG=0
|
||||||
# SSH_USE_STRONG_RNG=1
|
# SSH_USE_STRONG_RNG=1
|
||||||
|
|
||||||
|
# System-wide crypto policy:
|
||||||
|
# To opt-out, uncomment the following line
|
||||||
|
# CRYPTO_POLICY=
|
||||||
|
@ -5,6 +5,7 @@ Wants=sshd-keygen.target
|
|||||||
After=sshd-keygen.target
|
After=sshd-keygen.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
EnvironmentFile=-/etc/crypto-policies/back-ends/openssh-server.config
|
||||||
EnvironmentFile=-/etc/sysconfig/sshd
|
EnvironmentFile=-/etc/sysconfig/sshd
|
||||||
ExecStart=-/usr/sbin/sshd -i $OPTIONS
|
ExecStart=-/usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY
|
||||||
StandardInput=socket
|
StandardInput=socket
|
||||||
|
Loading…
Reference in New Issue
Block a user