Dear colleagues,

Let me try to summarize the pros and cons of this discussion.

Our intention is making the software and its settings as secure as possible by default. That's why we have crypto policies.
The proposed change is aligned with the setting we have implemented in RHEL9 for 2-3 years, and there were only several use cases affected by this tightening, mostly SSH.

I understand that not all old systems are upgradeable (though many of them can be turned to smth using better algorithms - e.g. EC SSH keys are available on RHEL 7).
So for these use cases we would like to propose either use runcp utility (which doesn't undermine the default settings) or, worst case, use a jump container. Any of this solution doesn't undermine the whole system's security.

I believe that now we could move this change forward, having a workaround for some use cases, probing to detect the legacy algorithm when it was missing, and higher security standards.

On Tue, Jun 11, 2024 at 12:02 PM Clemens Lang <cllang@redhat.com> wrote:
Hi Peter,

> On 11. Jun 2024, at 07:01, Peter Boy <pboy@uni-bremen.de> wrote:
>
>> Am 10.06.2024 um 20:16 schrieb Richard W.M. Jones <rjones@redhat.com>:
>>
>> On Mon, Jun 10, 2024 at 01:43:57PM +0200, Vít Ondruch wrote:
>>> I wish this proposal included some examples of what might get broken
>>> and what will keep working. I guess I am not the only one who have
>>> very vague understanding what is difference between "signatures" and
>>> "hashing" or other purposes SHA1 can be used for.
>>
>> SSH and HTTPS to old machines (even old versions of Fedora & RHEL) and
>> to old network equipment and the like will not be possible.
>>
>> I'm annoyed that this is not just put behind the LEGACY policy, since
>> if that's not what "legacy" is for, what _is_ it for?
>>
>> As an aside, it'd be very nice if policies could be set per-process.
>> That would greatly enhance security by allowing specific programs to
>> connect to the legacy machines, while maintaining general system
>> security.
>>
>> Anyway, -1 from me.
>>
>> Rich.
>
> Anyway, -1 from me, too
>
> For exactly that reason.

Can you elaborate what you would need, in addition to the LEGACY policy (which still allows these connections) and the runcp utility?


--
Clemens Lang
RHEL Crypto Team
Red Hat


--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


--
Dmitry Belyavskiy