OpenSSH Server Crypto Policy

Summary

OpenSSH clients follow the system-wide crypto policy since Fedora 26. This F27 change modifies the openssh server configuration to adhere to the system-wide policy. That will allow openssh server configuration to adapt to the multiple security levels offered system-wide.

Owner

• Name: Jakub Jelen
• Email: jjelen@redhat.com
• Release notes owner:

Current status

• Targeted release: Fedora 27
• Last updated: 2017-11-02
• Tracker bug: #1479271

Detailed Description

Currently, the set of cryptographic algorithms used in OpenSSH is defined by upstream and Fedora just inherits what upstream considers secure. If there are special requirements for the security, manual modifications of the configuration files is required, which also prevents package manager to update the configuration file with future updates and can possibly leave enabled insecure algorithms.

Since Fedora 26 OpenSSH clients are following crypto policies defined system-wide using Include configuration option in the main ssh_config. We can not use the same method in the server, because OpenBSD did not accept yet the patch supporting the same in the server configuration (upstream bug) so we will work out other way of doing that without disrupting existing workflows.

For more information about Crypto Policy, see the appropriate wiki page Changes/CryptoPolicy describing the concept in whole.

Benefit to Fedora

All OpenSSH tools will follow system-wide crypto policy generated by update-crypto-policies(8) to ensure uniform security levels in the whole system.

The server side configuration is usually better place to defend against security vulnerabilities, rather than the user side, which does not have to have good overview of security. This will make sure they are using secure algorithms and their communiques are still secret.

Scope

• Proposal owners: Create a replace script, that will replace predefined comment in the configuration with configuration generated according to current crypto policies. Make systemd trigger this script on restart.
  • OpenSSH package needs to be updated to preprocess configuration file and read it from runtime directory: openssh-7.5p1-4 build (too confusing for users)
  • SELinux policy needs to be adjusted so sshd server can read configuration file from runtime directory: https://bugzilla.redhat.com/show_bug.cgi?id=1477613 (not needed with latest approach)
  • (done) Generate crypto policy as a command line arguments for SSHD: https://gitlab.com/redhat-sectech/fedora-crypto-policies/merge_requests/7
  • (done) OpenSSH package picks up the crypto policy generated for command line: openssh-7.5p1-5 build
  • (done) Reload sshd service after the crypto policy is changed: https://gitlab.com/redhat-sectech/fedora-crypto-policies/merge_requests/5

• Other developers: N/A (not a System Wide Change)

• Release engineering: #6915 (a check of an impact with Release Engineering is needed)
  • List of deliverables: N/A (not a System Wide Change)

• Policies and guidelines: N/A (not a System Wide Change)

• Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

The crypto policy is applied on the command line of sshd daemon and therefore any changes to the sshd_config will not be effective once crypto policies will get applied picked up. The default configuration will get the crypto policies automatically.

How To Test

Prerequisites:

• Make sure you have installed openssh-clients, openssh-server and crypto-policies packages
• Make sure you have sshd server running on your system. If not, enable and start the sshd service: systemctl enable sshd && systemctl start sshd
• Make sure you have crypto-policies configured with default profile
• Make sure you can connect to your local sshd server with your client, such as ssh localhost

Check LEGACY profile:

• Check that you CAN NOT connect with legacy algorithms, such as arcfour128: Run ssh -o Ciphers=arcfour128 localhost (should fail)
• Update crypto policies to LEGACY profile. Run update-crypto-policies --set LEGACY (this will make sshd reload the configuration)
• Check that you CAN connect with legacy algorithms, such as arcfour128: Run ssh -o Ciphers=arcfour128 localhost (should work)

Check FUTURE profile:

• Check that you CAN connect with current algorithms that is not in FUTURE profile, such as diffie-hellman-group-exchange-sha1: Run ssh -o KexAlgorithms=diffie-hellman-group-exchange-sha1 localhost (should work)
• Update crypto policies to FUTURE profile. Run update-crypto-policies --set FUTURE (this will make sshd reload the configuration)
• Check that you CAN NOT connect with current algorithms that is not in FUTURE profile, such as diffie-hellman-group-exchange-sha1: Run ssh -o KexAlgorithms=diffie-hellman-group-exchange-sha1 localhost (should fail)

Post:

• Change your crypto policies back to DEFAULT. Run update-crypto-policies --set FUTURE (this will make sshd reload the configuration)

Note: specifying the algorithms on command line or in per-user client configuration overwrites system-wide policy. The same can be done with the server configuration, by specifying the options before the expanded crypto-policies comment.

User Experience

N/A (not a System Wide Change)

Dependencies

N/A (not a System Wide Change)

Contingency Plan

• Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
• Contingency deadline: N/A (not a System Wide Change)
• Blocks release? N/A (not a System Wide Change), Yes/No
• Blocks product? product

Documentation

Upstream documentation is available in the upstream repository for update-crypto-policies(8).

For OpenSSH server, there should be no difference than in other libraries except the sshd daemon is not picking up the changes on demand, but requires a restart of the services after the change.

Release Notes