Another approach for crypto policies (#1479271)

This commit is contained in:
Jakub Jelen 2017-08-09 15:14:13 +02:00
parent 970a418151
commit 0ce6c7b710
4 changed files with 18 additions and 3 deletions

View File

@ -64,7 +64,7 @@ diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5
diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
--- openssh-7.4p1/sshd_config.redhat 2016-12-19 05:59:41.000000000 +0100 --- openssh-7.4p1/sshd_config.redhat 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sshd_config 2016-12-23 13:33:05.386233133 +0100 +++ openssh-7.4p1/sshd_config 2016-12-23 13:33:05.386233133 +0100
@@ -10,21 +10,26 @@ @@ -10,21 +10,35 @@
# possible, but leave them commented. Uncommented options override the # possible, but leave them commented. Uncommented options override the
# default value. # default value.
@ -88,6 +88,15 @@ diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
# Ciphers and keying # Ciphers and keying
#RekeyLimit default none #RekeyLimit default none
+# System-wide Crypto policy:
+# If this system is following system-wide crypto policy, the changes to
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
+# effect here. They will be overridden by command-line options passed on
+# the server start up.
+# To opt out, uncomment a line with redefinition of CRYPTO_POLICY=
+# variable in /etc/sysconfig/sshd to overwrite the policy.
+# For more information, see manual page for update-crypto-policies(8).
+
# Logging # Logging
#SyslogFacility AUTH #SyslogFacility AUTH
+SyslogFacility AUTHPRIV +SyslogFacility AUTHPRIV

View File

@ -6,8 +6,9 @@ Wants=sshd-keygen.target
[Service] [Service]
Type=notify Type=notify
EnvironmentFile=-/etc/crypto-policies/back-ends/openssh-server.config
EnvironmentFile=-/etc/sysconfig/sshd EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY
ExecReload=/bin/kill -HUP $MAINPID ExecReload=/bin/kill -HUP $MAINPID
KillMode=process KillMode=process
Restart=on-failure Restart=on-failure

View File

@ -11,3 +11,7 @@
SSH_USE_STRONG_RNG=0 SSH_USE_STRONG_RNG=0
# SSH_USE_STRONG_RNG=1 # SSH_USE_STRONG_RNG=1
# System-wide crypto policy:
# To opt-out, uncomment the following line
# CRYPTO_POLICY=

View File

@ -5,6 +5,7 @@ Wants=sshd-keygen.target
After=sshd-keygen.target After=sshd-keygen.target
[Service] [Service]
EnvironmentFile=-/etc/crypto-policies/back-ends/openssh-server.config
EnvironmentFile=-/etc/sysconfig/sshd EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=-/usr/sbin/sshd -i $OPTIONS ExecStart=-/usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY
StandardInput=socket StandardInput=socket