Mix/match C8 Crypto Policies
Is it possible to mix and match crypto policies using approved tools in CentOS 8?
Our environment requires a LEGACY setting for OpenSSL so we can maintain connections with our LDAP servers (which we cannot update at this time), but I’d like especially the OpenSSH settings to use the DEFAULT policy (and maybe even FUTURE on a test host or two).
I think it’s possible to manually repoint the symbolic links in
/etc/crypto-policies/back-ends to achieve that result, and I’ll set up puppet rules if that’s the only way to do so, but I’d prefer to use a more canonical approach if one exists.
One thought on - Mix/match C8 Crypto Policies
I received no replies to this query, so I hacked together a solution. In case someone needs to know, it was essentially something like this:
# all operations run as root update-crypto-policies –set LEGACY
systemctl reboot
# after system comes back online… pushd /etc/crypto-policies/back-ends
# reconfigure SSH client operations using DEFAULT policy rm openssh.config ln -s /usr/share/crypto-policies/DEFAULT/openssh.txt \
openssh.config
# reconfigure sshd using DEFAULT policy and restart it rm opensshserver.config ln -s /usr/share/crypto-policies/DEFAULT/opensshserver.txt \
opensshserver.config systemctl restart sshd.service
### voila