[Libguestfs] [PATCH v2v] docs: Fix update-crypto-policies command.

Tomas Mraz tmraz at redhat.com
Wed Jan 15 13:36:45 UTC 2020 

On Wed, 2020-01-15 at 13:21 +0000, Richard W.M. Jones wrote:
> On Wed, Jan 15, 2020 at 11:03:24AM +0000, Daniel P. Berrangé wrote:
> > On Wed, Jan 15, 2020 at 10:57:36AM +0000, Richard W.M. Jones wrote:
> > > The command as documented was wrong.  We need to use the --set
> > > option
> > > to change the policy.
> > > 
> > > Fixes commit d5cbe7b4bee5dec9e28b1db03e933c97ef6d11e0.
> > > Thanks: Xiaodai Wang
> > > ---
> > >  docs/virt-v2v-input-xen.pod | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/docs/virt-v2v-input-xen.pod b/docs/virt-v2v-input-
> > > xen.pod
> > > index bafeabf62..bce0aff45 100644
> > > --- a/docs/virt-v2v-input-xen.pod
> > > +++ b/docs/virt-v2v-input-xen.pod
> > > @@ -36,7 +36,7 @@ to interoperate with RHEL 5 sshd are
> > > disabled.  To enable them you may
> > >  need to run this command on the conversion server (ie. ssh
> > > client),
> > >  but read L<update-crypto-policies(8)> first:
> > >  
> > > - # update-crypto-policies LEGACY
> > > + # update-crypto-policies --set LEGACY
> > 
> > Personally I would not be in favour of recommending that people
> > change their crypto policies host-wide, especially since the
> > doc is not telling them to set it back to the stronger default
> > policy later.
> > 
> > If the problem is simply the SSH server, then it ought to be
> > possible to address this using the "Ciphers" config option
> > for the SSH client, so that it doesn't weaken crypto for the
> > entire host.
> 
> That's the "but read the <manual> first" part of the documentation.
> 
> Anyway I looked at how easy this might be to implement.  The first
> complication is that we're using two different ways to contact the
> RHEL 5 Xen server, first making a libvirt connection to xen+ssh, and
> then using nbdkit-ssh-plugin.
> 
> Libvirt is using the ssh binary, but with no control over the -c /
> Ciphers option.  However /usr/bin/ssh will honour crypto-policies.
> 
> nbdkit is using libssh, so again it's not settable directly but it
> will honour crypto-policies.
> 
> It seems as if it's possible to set crypto-policies only for SSH
> protocol connections, but the documentation for this is obscure to
> say
> the least.  Since we're using external binaries to do the work it
> doesn't seem like we can do this only for virt-v2v.
> 

The LEGACY policy will not make the system inherently 'less secure' and
its purpose is actually to allow communication with legacy devices
which RHEL-5 systems already are. So I do not think mentioning this
switch to LEGACY when you need to communicate with RHEL-5 systems is
wrong. BTW, if for example you need to communicate with a HTTPS web
server on the RHEL-5 system, you'll need the LEGACY policy as well.

-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]

More information about the Libguestfs mailing list