OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file
James Ralston
ralston at pobox.com
Tue Sep 10 03:02:24 AEST 2024
On Mon, Sep 9, 2024 at 12:21 PM kevin martin <ktmdms at gmail.com> wrote:
> well nuts. that, in fact, doesn't work. it appears that, based on an
> strace, the order of reading for policies is personal .ssh/config,
> /etc/ssh/ssh_config (and conf.d files), then crypto policies, with
> the more restrictive policy being used.
If the system-wide crypto policies module disables SHA-1, then you are
not going to be able to override it at the application level. That’s
the entire point of having *system-wide* crypto policies.
You likely don’t need to change to the DEFAULT policy, as there is
already a policy module for adding back in SHA-1 support. E.g., if
you are using the FUTURE policy:
$ update-crypto-policies --show
FUTURE
$ sudo update-crypto-policies --set FUTURE:SHA1
Setting system policy to FUTURE:SHA1
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
But if your Linux team has rolled their own custom policy, you will
need to work with them to update it to permit SHA1.
More information about the openssh-unix-dev
mailing list