On 11/27/2017 12:42 PM, Tom Horsley wrote:
The /etc/ssh/sshd_config file on my fedora 27 partition says:
# To opt out, uncomment a line with redefinition of CRYPTO_POLICY=
# variable in /etc/sysconfig/sshd to overwrite the policy.
# For more information, see manual page for update-crypto-policies(8).
But there is no CRYPTO_POLICY environment variable setting
in /etc/sysconfig/sshd or in supposed system wide file
/etc/crypto-policies/back-ends/openssh-server.config I see
referenced in the sshd.service definition.
It's sorta complex in that sshd is passed "-D $OPTIONS $CRYPTO_POLICY"
by systemd when it's started, so if you do:
CRYPTO_POLICY=
in /etc/sysconfig/sshd, then you disable the system-wide crypto policy
for sshd.
As far as the default crypto policy, it's in
/etc/crypto-policies/back-ends/openssh.config
which is (at least on my systems) a symlink to
/usr/share/crypto-policies/DEFAULT/openssh.txt
Hope that helps.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks(a)alldigital.com -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
- -
- Never put off 'til tommorrow what you can forget altogether! -
----------------------------------------------------------------------