Add reference for policy customization in ssh/sshd_config manpages

Resolves: rhbz#1984575

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

openssh-8.0p1-crypto-policies.patch

@@ -1,13 +1,13 @@
-diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
+diff --color -ru a/ssh_config.5 b/ssh_config.5
---- openssh-8.7p1/ssh_config.5.crypto-policies	2021-08-30 13:29:00.174292872 +0200
+--- a/ssh_config.5	2022-07-12 15:05:22.550013071 +0200
-+++ openssh-8.7p1/ssh_config.5	2021-08-30 13:31:32.009548808 +0200
++++ b/ssh_config.5	2022-07-12 15:17:20.016704545 +0200
-@@ -373,17 +373,13 @@ or
+@@ -373,17 +373,13 @@
  .Qq *.c.example.com
  domains.
  .It Cm CASignatureAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
++Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
  Specifies which algorithms are allowed for signing of certificates
@@ -24,13 +24,13 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
  If the specified list begins with a
  .Sq +
  character, then the specified algorithms will be appended to the default set
-@@ -445,20 +441,25 @@ If the option is set to
+@@ -445,20 +441,25 @@
  (the default),
  the check will not be executed.
  .It Cm Ciphers
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
++Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
  Specifies the ciphers allowed and their order of preference.
@@ -54,7 +54,7 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
  .Pp
  The supported ciphers are:
  .Bd -literal -offset indent
-@@ -474,13 +475,6 @@ aes256-gcm@openssh.com
+@@ -474,13 +475,6 @@
  chacha20-poly1305@openssh.com
  .Ed
  .Pp
@@ -68,19 +68,19 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
  The list of available ciphers may also be obtained using
  .Qq ssh -Q cipher .
  .It Cm ClearAllForwardings
-@@ -874,6 +868,11 @@ command line will be passed untouched to
+@@ -874,6 +868,11 @@
  The default is
  .Dq no .
  .It Cm GSSAPIKexAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
++Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
  The list of key exchange algorithms that are offered for GSSAPI
  key exchange. Possible values are
  .Bd -literal -offset 3n
-@@ -886,10 +885,8 @@ gss-nistp256-sha256-,
+@@ -886,10 +885,8 @@
  gss-curve25519-sha256-
  .Ed
  .Pp
@@ -92,13 +92,13 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
  .It Cm HashKnownHosts
  Indicates that
  .Xr ssh 1
-@@ -1219,29 +1216,25 @@ it may be zero or more of:
+@@ -1219,29 +1216,25 @@
  and
  .Cm pam .
  .It Cm KexAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
++Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
  Specifies the available KEX (Key Exchange) algorithms.
@@ -131,13 +131,13 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
  .Pp
  The list of available key exchange algorithms may also be obtained using
  .Qq ssh -Q kex .
-@@ -1351,37 +1344,33 @@ function, and all code in the
+@@ -1351,37 +1344,33 @@
  file.
  This option is intended for debugging and no overrides are enabled by default.
  .It Cm MACs
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
++Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
  Specifies the MAC (message authentication code) algorithms
@@ -178,13 +178,13 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
  The list of available MAC algorithms may also be obtained using
  .Qq ssh -Q mac .
  .It Cm NoHostAuthenticationForLocalhost
-@@ -1553,37 +1542,25 @@ instead of continuing to execute and pas
+@@ -1553,37 +1542,25 @@
  The default is
  .Cm no .
  .It Cm PubkeyAcceptedAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
++Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
  Specifies the signature algorithms that will be used for public key
@@ -225,16 +225,16 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
  .Pp
  The list of available signature algorithms may also be obtained using
  .Qq ssh -Q PubkeyAcceptedAlgorithms .
-diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
+diff --color -ru a/sshd_config.5 b/sshd_config.5
---- openssh-8.7p1/sshd_config.5.crypto-policies	2021-08-30 13:29:00.157292731 +0200
+--- a/sshd_config.5	2022-07-12 15:05:22.535012771 +0200
-+++ openssh-8.7p1/sshd_config.5	2021-08-30 13:32:16.263918533 +0200
++++ b/sshd_config.5	2022-07-12 15:15:33.394809258 +0200
-@@ -373,17 +373,13 @@ If the argument is
+@@ -373,17 +373,13 @@
  then no banner is displayed.
  By default, no banner is displayed.
  .It Cm CASignatureAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
++Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
  Specifies which algorithms are allowed for signing of certificates
@@ -251,13 +251,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
  If the specified list begins with a
  .Sq +
  character, then the specified algorithms will be appended to the default set
-@@ -450,20 +446,25 @@ The default is
+@@ -450,20 +446,25 @@
  indicating not to
  .Xr chroot 2 .
  .It Cm Ciphers
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
++Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
  Specifies the ciphers allowed.
@@ -281,7 +281,7 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
  .Pp
  The supported ciphers are:
  .Pp
-@@ -490,13 +491,6 @@ aes256-gcm@openssh.com
+@@ -490,13 +491,6 @@
  chacha20-poly1305@openssh.com
  .El
  .Pp
@@ -295,13 +295,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
  The list of available ciphers may also be obtained using
  .Qq ssh -Q cipher .
  .It Cm ClientAliveCountMax
-@@ -685,21 +679,22 @@ For this to work
+@@ -685,21 +679,22 @@
  .Cm GSSAPIKeyExchange
  needs to be enabled in the server and also used by the client.
  .It Cm GSSAPIKexAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
++Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
  The list of key exchange algorithms that are accepted by GSSAPI
@@ -328,13 +328,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
  This option only applies to connections using GSSAPI.
  .It Cm HostbasedAcceptedAlgorithms
  Specifies the signature algorithms that will be accepted for hostbased
-@@ -799,26 +794,13 @@ is specified, the location of the socket
+@@ -799,26 +794,13 @@
  .Ev SSH_AUTH_SOCK
  environment variable.
  .It Cm HostKeyAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
++Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
  Specifies the host key signature algorithms
@@ -360,13 +360,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
  The list of available signature algorithms may also be obtained using
  .Qq ssh -Q HostKeyAlgorithms .
  .It Cm IgnoreRhosts
-@@ -965,20 +947,25 @@ Specifies whether to look at .k5login fi
+@@ -965,20 +947,25 @@
  The default is
  .Cm yes .
  .It Cm KexAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
++Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
  Specifies the available KEX (Key Exchange) algorithms.
@@ -390,7 +390,7 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
  The supported algorithms are:
  .Pp
  .Bl -item -compact -offset indent
-@@ -1010,15 +997,6 @@ ecdh-sha2-nistp521
+@@ -1010,15 +997,6 @@
  sntrup761x25519-sha512@openssh.com
  .El
  .Pp
@@ -406,13 +406,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
  The list of available key exchange algorithms may also be obtained using
  .Qq ssh -Q KexAlgorithms .
  .It Cm ListenAddress
-@@ -1104,21 +1082,26 @@ function, and all code in the
+@@ -1104,21 +1082,26 @@
  file.
  This option is intended for debugging and no overrides are enabled by default.
  .It Cm MACs
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
++Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
  Specifies the available MAC (message authentication code) algorithms.
@@ -437,7 +437,7 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
  .Pp
  The algorithms that contain
  .Qq -etm
-@@ -1161,15 +1144,6 @@ umac-64-etm@openssh.com
+@@ -1161,15 +1144,6 @@
  umac-128-etm@openssh.com
  .El
  .Pp
@@ -453,13 +453,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
  The list of available MAC algorithms may also be obtained using
  .Qq ssh -Q mac .
  .It Cm Match
-@@ -1548,37 +1522,25 @@ or equivalent.)
+@@ -1548,37 +1522,25 @@
  The default is
  .Cm yes .
  .It Cm PubkeyAcceptedAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
-+To see the defaults and how to modify this default, see manual page
++Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
  Specifies the signature algorithms that will be accepted for public key

openssh.spec

@@ -51,7 +51,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
-%global openssh_rel 12
+%global openssh_rel 13
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 4
 
@@ -720,6 +720,10 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Tue Jul 12 2022 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-13
+- Add reference for policy customization in ssh/sshd_config manpages
+  Resolves: rhbz#1984575
+
 * Mon Jul 11 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-12
 - Disable sntrup761x25519-sha512 in FIPS mode
   Related: rhbz#2070628