RHEL/CentOS 8 requires removal or editing of /etc/crypto-policies/back-ends/openssh*.config about ansible-ssh-hardening HOT 6 CLOSED

just submittet a PR to our baseline (dev-sec/ssh-baseline#177)
I will close this now, since all issues are resolved.

from ansible-ssh-hardening.

Thanks for this, I did not know that this exists.

More information: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening

We'll have to decide what to support and use.

from ansible-ssh-hardening.

While not a bug, it would seem that the client configurations also don't disallow host key types for use. I'm not sure how to best accomplish this but it would be nice if we could also figure out how to enforce SSH client configuration for allowed HostKeyTypes.

'HostKeyAlgorithms' can (should 🤔 ) be defined to also limit client Host Key Types.

HostKeyAlgorithms -ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-rsa,[email protected]

from ansible-ssh-hardening.

The openssh-server side of this issue is fixed by #309.
This only leaves the client side issue remaining.

from ansible-ssh-hardening.

the crypto policy for ssh client is activated by an include /etc/ssh/ssh_config.d/05-redhat.conf since our config does not have this include the client part should also be solved. Will check this in a moment.

from ansible-ssh-hardening.

This is possible to check via ssh -G localhost |grep ciphers. We will add some tests for this to our baseline. So basically this is solved now, just waiting for the PR in ssh-baseline and then we should be safe :)

from ansible-ssh-hardening.