[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ssh_options_parse_config by default


On Tuesday, 3 July 2018 07:40:27 CEST Nikos Mavrogiannopoulos wrote:
> Hi,
>  In the context Fedora we are looking at various ways for applications
> to get a reasonable and adjustable default policy for crypto ciphers
> and parameters. Our goal is to be able to disable ciphers system-wide
> when necessary, without going through all possible applications. So far
> we have succeeded with the TLS libs, though with different approaches.
> With openssl and gnutls we apply a default config to all applications,
> unless the applications explicitly override that.
> 
> Now getting on libssh, what would be the best way to achieve the same
> thing? libssh provides ssh_options_parse_config() [0] but applications
> are expected to call it explicitly, meaning that we cannot assume that
> all apps follow the system's global config (/etc/ssh/ssh_config).
> Furthermore, on server side, libssh doesn't provide something
> equivalent. Would it make sense for libssh to apply some global
> configuration about enabled ciphers (e.g., from /etc/) unconditionally
> on server or client side? Would such a feature be acceptable?

Hi Nikos,

I'm fine with parsing the config(s) by default on client, however it should be 
possible to disable it!

On the server side there is no support for parsing the sshd_config and I'm 
don't think we should parse it. Also I'm not sure if there should be a libssh 
server config file. The service/daemon/server implementing it should have one.

Aris or Jon, how should we deal with that on the server side? Any thoughts?


Cheers,

	Andreas

-- 
Andreas Schneider                 asn@xxxxxxxxxxxxxx
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D



References:
ssh_options_parse_config by defaultNikos Mavrogiannopoulos <nmav@xxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org