Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-19389

Crypto Policies make it very difficult to connect to legacy systems while still keeping system secure

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • None
    • openssh
    • None
    • Normal
    • sst_security_crypto
    • ssg_security
    • False
    • Hide

      None

      Show
      None
    • Red Hat Enterprise Linux

      Goal

      Customers want to be able to connect using ssh from RHEL9 systems to RHEL6 systems for example, or 3rd party appliances only providing ssh-rsa.
      The easiest way to do so is to enable SHA1 module, but this makes the whole system quite insecure.
      I didn't find any way to implement the functionality without requiring the following operations, which is definitely too complicated:

      1. First enable SHA1 on the RHEL9 system 
        # update-crypto-policies --set DEFAULT:SHA1
      2. Copy opensslcnf and openssh configuration files 
        # cp /etc/crypto-policies/back-ends/opensslcnf.config /etc/crypto-policies/back-ends/opensslcnf+sha1.config
# cp /etc/crypto-policies/back-ends/openssh.config /etc/crypto-policies/back-ends/openssh+sha1.config
      3. Switch system back to DEFAULT 
        # update-crypto-policies --set DEFAULT
      4. Copy openssl configuration file and edit it to use the new openssl configuration 
        # sed "s#opensslcnf.config#opensslcnf+sha1.config#" /etc/ssl/openssl.cnf > /etc/ssl/openssl+sha1.cnf
      5. Create a system-wide ssh configuration file matching the host to load the specific openssh configuration file 
        # vim /etc/ssh/ssh_config.d/10-sha1.conf
... editor opens ...
Match host <identifier>
     Hostname <hostname>
     Port <port>
     Include /etc/crypto-policies/back-ends/openssh+sha1.config

        The `<identifier>` will be some name referring to the target system+port information.
        For example `legacy-1234`. `<hostname>` would be `legacy` and `<port>` 1234.

      6. Finally whenever connecting to the service, set the OPENSSL_CONF variable in the environment when connecting 
        $ OPENSSL_CONF=/etc/ssl/openssl+sha1.cnf ssh legacy-1234

      Clearly this is way too complicated.
      It appears reusing the SHA1.pmod module could be a possibility, but this still requires enabling SHA globally for openssl backend, which still loosen the security of the system:

      # cat /etc/crypto-policies/policies/modules/SSH-SHA1.pmod

hash@openssh-client = SHA1+
hash@openssl = SHA1+    <<<<<< THIS IS REQUIRED BUT SHOULD NOT (IDEALLY)
sign@openssh-client = ECDSA-SHA1+ RSA-PSS-SHA1+ RSA-SHA1+
sha1_in_certs@openssh-client = 1

      Additional notes

      The documentation we have 3.7.1. Examples of opting out of system-wide crypto policies states it's enough to modify the ssh configuration "locally", but in fact it's not true, at least for SHA1:

      To opt out of system-wide cryptographic policies for your OpenSSH client, perform one of the following tasks:

- For a given user, override the global ssh_config with a user-specific configuration in the ~/.ssh/config file.
- For the entire system, specify the cryptographic policy in a drop-in configuration file located in the /etc/ssh/ssh_config.d/ directory, with a two-digit number prefix smaller than 50, so that it lexicographically precedes the 50-redhat.conf file, and with a .conf suffix, for example, 49-crypto-policy-override.conf. 

See the ssh_config(5) man page for more information.

            dbelyavs@redhat.com Dmitry Belyavskiy
            rhn-support-rmetrich Renaud Metrich
            Dmitry Belyavskiy Dmitry Belyavskiy
            SSG Security QE SSG Security QE
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: