Mention crypto-policies in the manual pages instead of the hardcoded defaults

Resolves: rhbz#1668325

openssh-8.0p1-crypto-policies.patch

@@ -0,0 +1,210 @@
+diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
+--- openssh-8.0p1/ssh_config.5.crypto-policies	2019-05-13 14:04:01.999099570 +0200
++++ openssh-8.0p1/ssh_config.5	2019-05-13 14:12:36.343923071 +0200
+@@ -445,12 +445,10 @@ aes256-gcm@openssh.com
+ chacha20-poly1305@openssh.com
+ .Ed
+ .Pp
+-The default is:
+-.Bd -literal -offset indent
+-chacha20-poly1305@openssh.com,
+-aes128-ctr,aes192-ctr,aes256-ctr,
+-aes128-gcm@openssh.com,aes256-gcm@openssh.com
+-.Ed
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++To see the defaults and how to modifuy this default, see manual page
++.Xr update-crypto-policies 8 .
+ .Pp
+ The list of available ciphers may also be obtained using
+ .Qq ssh -Q cipher .
+@@ -812,8 +810,10 @@ gss-nistp256-sha256-,
+ gss-curve25519-sha256-
+ .Ed
+ .Pp
+-The default is
+-.Dq gss-gex-sha1-,gss-group14-sha1- .
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++To see the defaults and how to modifuy this default, see manual page
++.Xr update-crypto-policies 8 .
+ This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+@@ -1123,16 +1123,10 @@ If the specified value begins with a
+ .Sq -
+ character, then the specified methods (including wildcards) will be removed
+ from the default set instead of replacing them.
+-The default is:
+-.Bd -literal -offset indent
+-curve25519-sha256,curve25519-sha256@libssh.org,
+-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+-diffie-hellman-group-exchange-sha256,
+-diffie-hellman-group16-sha512,
+-diffie-hellman-group18-sha512,
+-diffie-hellman-group14-sha256,
+-diffie-hellman-group14-sha1
+-.Ed
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++To see the defaults and how to modifuy this default, see manual page
++.Xr update-crypto-policies 8 .
+ .Pp
+ The list of available key exchange algorithms may also be obtained using
+ .Qq ssh -Q kex .
+@@ -1210,14 +1204,10 @@ The algorithms that contain
+ calculate the MAC after encryption (encrypt-then-mac).
+ These are considered safer and their use recommended.
+ .Pp
+-The default is:
+-.Bd -literal -offset indent
+-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+-hmac-sha1-etm@openssh.com,
+-umac-64@openssh.com,umac-128@openssh.com,
+-hmac-sha2-256,hmac-sha2-512,hmac-sha1
+-.Ed
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++To see the defaults and how to modifuy this default, see manual page
++.Xr update-crypto-policies 8 .
+ .Pp
+ The list of available MAC algorithms may also be obtained using
+ .Qq ssh -Q mac .
+@@ -1361,17 +1351,10 @@ If the specified value begins with a
+ .Sq -
+ character, then the specified key types (including wildcards) will be removed
+ from the default set instead of replacing them.
+-The default for this option is:
+-.Bd -literal -offset 3n
+-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-ecdsa-sha2-nistp384-cert-v01@openssh.com,
+-ecdsa-sha2-nistp521-cert-v01@openssh.com,
+-ssh-ed25519-cert-v01@openssh.com,
+-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
+-ssh-rsa-cert-v01@openssh.com,
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+-.Ed
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++To see the defaults and how to modifuy this default, see manual page
++.Xr update-crypto-policies 8 .
+ .Pp
+ The list of available key types may also be obtained using
+ .Qq ssh -Q key .
+diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
+--- openssh-8.0p1/sshd_config.5.crypto-policies	2019-05-13 14:12:41.226968863 +0200
++++ openssh-8.0p1/sshd_config.5	2019-05-13 14:15:14.581406997 +0200
+@@ -490,12 +490,10 @@ aes256-gcm@openssh.com
+ chacha20-poly1305@openssh.com
+ .El
+ .Pp
+-The default is:
+-.Bd -literal -offset indent
+-chacha20-poly1305@openssh.com,
+-aes128-ctr,aes192-ctr,aes256-ctr,
+-aes128-gcm@openssh.com,aes256-gcm@openssh.com
+-.Ed
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++To see the defaults and how to modifuy this default, see manual page
++.Xr update-crypto-policies 8 .
+ .Pp
+ The list of available ciphers may also be obtained using
+ .Qq ssh -Q cipher .
+@@ -700,8 +698,10 @@ gss-nistp256-sha256-,
+ gss-curve25519-sha256-
+ .Ed
+ .Pp
+-The default is
+-.Dq gss-gex-sha1-,gss-group14-sha1- .
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++To see the defaults and how to modifuy this default, see manual page
++.Xr update-crypto-policies 8 .
+ This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HostbasedAcceptedKeyTypes
+ Specifies the key types that will be accepted for hostbased authentication
+@@ -792,17 +792,10 @@ environment variable.
+ .It Cm HostKeyAlgorithms
+ Specifies the host key algorithms
+ that the server offers.
+-The default for this option is:
+-.Bd -literal -offset 3n
+-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-ecdsa-sha2-nistp384-cert-v01@openssh.com,
+-ecdsa-sha2-nistp521-cert-v01@openssh.com,
+-ssh-ed25519-cert-v01@openssh.com,
+-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
+-ssh-rsa-cert-v01@openssh.com,
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+-.Ed
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++To see the defaults and how to modifuy this default, see manual page
++.Xr update-crypto-policies 8 .
+ .Pp
+ The list of available key types may also be obtained using
+ .Qq ssh -Q key .
+@@ -960,14 +953,10 @@ ecdh-sha2-nistp384
+ ecdh-sha2-nistp521
+ .El
+ .Pp
+-The default is:
+-.Bd -literal -offset indent
+-curve25519-sha256,curve25519-sha256@libssh.org,
+-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+-diffie-hellman-group-exchange-sha256,
+-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
+-diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
+-.Ed
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++To see the defaults and how to modifuy this default, see manual page
++.Xr update-crypto-policies 8 .
+ .Pp
+ The list of available key exchange algorithms may also be obtained using
+ .Qq ssh -Q kex .
+@@ -1090,14 +1079,10 @@ umac-64-etm@openssh.com
+ umac-128-etm@openssh.com
+ .El
+ .Pp
+-The default is:
+-.Bd -literal -offset indent
+-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+-hmac-sha1-etm@openssh.com,
+-umac-64@openssh.com,umac-128@openssh.com,
+-hmac-sha2-256,hmac-sha2-512,hmac-sha1
+-.Ed
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++To see the defaults and how to modifuy this default, see manual page
++.Xr update-crypto-policies 8 .
+ .Pp
+ The list of available MAC algorithms may also be obtained using
+ .Qq ssh -Q mac .
+@@ -1455,17 +1440,10 @@ If the specified value begins with a
+ .Sq -
+ character, then the specified key types (including wildcards) will be removed
+ from the default set instead of replacing them.
+-The default for this option is:
+-.Bd -literal -offset 3n
+-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-ecdsa-sha2-nistp384-cert-v01@openssh.com,
+-ecdsa-sha2-nistp521-cert-v01@openssh.com,
+-ssh-ed25519-cert-v01@openssh.com,
+-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
+-ssh-rsa-cert-v01@openssh.com,
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+-.Ed
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++To see the defaults and how to modifuy this default, see manual page
++.Xr update-crypto-policies 8 .
+ .Pp
+ The list of available key types may also be obtained using
+ .Qq ssh -Q key .

openssh.spec

@@ -210,6 +210,8 @@ Patch960: openssh-7.9p1-updated-cached-pw.patch
 # Verify the SCP vulnerabilities are fixed in the package testsuite
 # https://bugzilla.mindrot.org/show_bug.cgi?id=3007
 Patch961: openssh-8.0p1-scp-tests.patch
+# Mention crypto-policies in manual pages (#1668325)
+Patch962: openssh-8.0p1-crypto-policies.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -414,6 +416,7 @@ popd
 %patch958 -p1 -b .ssh-copy-id
 %patch960 -p1 -b .update-pw
 %patch961 -p1 -b .scp-tests
+%patch962 -p1 -b .crypto-policies
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race