[Libguestfs] [PATCH v2v] docs: Fix update-crypto-policies command.
Daniel P. Berrangé
berrange at redhat.com
Wed Jan 15 13:52:01 UTC 2020
On Wed, Jan 15, 2020 at 01:21:25PM +0000, Richard W.M. Jones wrote:
> On Wed, Jan 15, 2020 at 11:03:24AM +0000, Daniel P. Berrangé wrote:
> > On Wed, Jan 15, 2020 at 10:57:36AM +0000, Richard W.M. Jones wrote:
> > > The command as documented was wrong. We need to use the --set option
> > > to change the policy.
> > >
> > > Fixes commit d5cbe7b4bee5dec9e28b1db03e933c97ef6d11e0.
> > > Thanks: Xiaodai Wang
> > > ---
> > > docs/virt-v2v-input-xen.pod | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/docs/virt-v2v-input-xen.pod b/docs/virt-v2v-input-xen.pod
> > > index bafeabf62..bce0aff45 100644
> > > --- a/docs/virt-v2v-input-xen.pod
> > > +++ b/docs/virt-v2v-input-xen.pod
> > > @@ -36,7 +36,7 @@ to interoperate with RHEL 5 sshd are disabled. To enable them you may
> > > need to run this command on the conversion server (ie. ssh client),
> > > but read L<update-crypto-policies(8)> first:
> > >
> > > - # update-crypto-policies LEGACY
> > > + # update-crypto-policies --set LEGACY
> >
> > Personally I would not be in favour of recommending that people
> > change their crypto policies host-wide, especially since the
> > doc is not telling them to set it back to the stronger default
> > policy later.
> >
> > If the problem is simply the SSH server, then it ought to be
> > possible to address this using the "Ciphers" config option
> > for the SSH client, so that it doesn't weaken crypto for the
> > entire host.
>
> That's the "but read the <manual> first" part of the documentation.
>
> Anyway I looked at how easy this might be to implement. The first
> complication is that we're using two different ways to contact the
> RHEL 5 Xen server, first making a libvirt connection to xen+ssh, and
> then using nbdkit-ssh-plugin.
>
> Libvirt is using the ssh binary, but with no control over the -c /
> Ciphers option. However /usr/bin/ssh will honour crypto-policies.
>
> nbdkit is using libssh, so again it's not settable directly but it
> will honour crypto-policies.
>
> It seems as if it's possible to set crypto-policies only for SSH
> protocol connections, but the documentation for this is obscure to say
> the least. Since we're using external binaries to do the work it
> doesn't seem like we can do this only for virt-v2v.
Yeah, for libssh, I don't have a good sugestion. Only for /usr/bin/ssh
where you can do something like telling users to append to ssh_config
Hostname old-rhel-5-hostname
Ciphers +3des-cbc
(and possibly MACs, can't remember exactly)
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the Libguestfs
mailing list