:bug: RHEL systems using global `crypto-policies`, `sshd.config` ignores override configuration
mm-weber opened this issue · comments
Describe the bug
The sshd.config
resource parses all relevant .conf
files in
/etc/ssh/sshd_config.d/
and /etc/ssh/sshd_conf
and follows any include
directives found in those paths to gather data.
All systems usings RHEL's global crypto-policy employ the following mechanism (same source) to override crypto-policies set globally for ssh:
This is currently ignored by the sshd.config
resource and leads to faulty results.
To Reproduce
Steps to reproduce the behavior:
- On Rocky Linux 9 set the global crypto policy to FUTURE
update-crypto-policies --set FUTURE
then reboot and check the sshd.config.kexs
:
cnspec> sshd.config.kexs
cnspec> sshd.config.kexs
sshd.config.kexs: [
0: "curve25519-sha256"
1: "curve25519-sha256@libssh.org"
2: "ecdh-sha2-nistp256"
3: "ecdh-sha2-nistp384"
4: "ecdh-sha2-nistp521"
5: "diffie-hellman-group-exchange-sha256"
6: "diffie-hellman-group16-sha512"
7: "diffie-hellman-group18-sha512"
]
-> This command changes the Kex policies in the included file /etc/crypto-policies/back-ends/opensshserver.config
- Now use the override mechanism described above and create the file
/etc/ssh/sshd_config.d/49-crypto-policy-override.conf
with the following content:
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512
- Then run the again in cnspec
sshd.config.kexs
-> The result of the override file is added to the result found in the file /etc/crypto-policies/back-ends/opensshserver.config
, which is included via the directive 50-redhat.conf
.
Expected behavior
If there is a file with a prefix smaller than 50
in the folder /etc/ssh/sshd_config.d
, eg. 49-overide.conf
, then the params (eg. KexAlgorithms
) found there need to override the params in the resource sshd.conf
.
Desktop (please complete the following information):
NAME="Rocky Linux"
VERSION="9.3 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.3"
Additional context
Add any other context about the problem here.
i'm not able to reproduce this:
[root@localhost vagrant]# cat /etc/ssh/sshd_config.d/49-crypto-policy-override.conf
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512
[root@localhost vagrant]# ./cnspec run local -c 'sshd.config.kexs'
→ no Mondoo configuration file provided, using defaults
sshd.config.kexs: [
0: "sntrup761x25519-sha512@openssh.com"
1: "curve25519-sha256@libssh.org"
2: "diffie-hellman-group18-sha512"
]
[root@localhost vagrant]# rm /etc/ssh/sshd_config.d/49-crypto-policy-override.conf
rm: remove regular file '/etc/ssh/sshd_config.d/49-crypto-policy-override.conf'? y
[root@localhost vagrant]# ./cnspec run local -c 'sshd.config.kexs'
→ no Mondoo configuration file provided, using defaults
sshd.config.kexs: [
0: "curve25519-sha256"
1: "curve25519-sha256@libssh.org"
2: "ecdh-sha2-nistp256"
3: "ecdh-sha2-nistp384"
4: "ecdh-sha2-nistp521"
5: "diffie-hellman-group-exchange-sha256"
6: "diffie-hellman-group16-sha512"
7: "diffie-hellman-group18-sha512"
]