Once upon a time, Richard W.M. Jones <rjones(a)redhat.com> said:
Previous tightening of crypto defaults caused problems with us
connecting to older ssh servers.
I also have had trouble connecting to major vendor websites. The vendor
response is just "works in Chrome and Firefox on Windows, must be your
problem".
I am particularly interested / worried about sshd from RHEL 5, 6
& 7
for virt-p2v and virt-v2v conversions. This broke before, requiring
us to advise users to set the global policy for the machine to LEGACY
(thus ironically weakening crypto for everything).
Also I have some ancient network equipment that cannot be upgraded but
needs older ssh protocols. I can't connect to it from Fedora unless I
set the crypto policy to LEGACY.
Yeah, the model in general seems a little broken to me, especially as I
found the policies are implemented unevenly (IIRC my problem was OpenSSL
couldn't connect but GnuTLS could for example), which just leads to
confusion.
I understand and approve of having good system-wide defaults, but there
needs to be a way to connect to a specific site/device/whatever without
having to lower the system-wide policy. For SSH, you can usually do
that by adjusting the settings on a per-device basis on the command line
or in ~/.ssh/config (setting PublickeyAcceptedKeyTypes, KexAlgorithms,
HostKeyAlgorithms, and/or Ciphers as needed).
I had to SSH to a FreeBSD 4.x server last year! So many SSH config
options required... it had been up without a reboot since 2007 IIRC.
I am very much not a UI/UX person, but Firefox and other browsers really
could use a good way to override system crypto policy on a per-site
basis.
--
Chris Adams <linux(a)cmadams.net>