OL8 (RHEL8), ssh-rsa turned off using update-crypto-policies, receiving an openssh error that I don't seem to be able to override in my personal .ssh/config file

James Ralston ralston at pobox.com
Wed Sep 11 00:26:26 AEST 2024


On Mon, Sep 9, 2024 at 4:55 PM kevin martin <ktmdms at gmail.com> wrote:
> using "update-crypt-policies --set DEFAULT" allows the connectivity
> to work again.

If so, it means that your Linux team set the policy to something other
than DEFAULT—likely FUTURE, or a custom policy that they created.
Overriding the policy back to DEFAULT will enable not just SHA-1, but
likely many other encryption and hash algorithms that your Security
team may have declared to be non-compliant and verboten.

If your Security team’s decisions are being driven by a requirement to
comply with third-party security policies that your customers/sponsors
require (NIST SP 800-171 is a common one), then throwing your host out
of compliance could have legal repercussions (1).

The correct thing to do here is *not* to change the policy to DEFAULT
because that is the easiest thing that works, but to instead ask your
Linux team how to enable SHA-1 support (at least within OpenSSL)
within the system-wide cryptographic policy that they have selected.

(1) https://www.theregister.com/2024/08/23/us_georgia_tech_lawsuit/


More information about the openssh-unix-dev mailing list