From Fedora Project Wiki

Description

OpenSSH support


How to test

We will test if openssh client respects current policy

  1. Prepare ssh server that uses old crypto 
    cp /etc/ssh/sshd_config sshd_config.bak
    

    echo -e 'Match All\n    Ciphers 3des-cbc' >>/etc/ssh/sshd_config
    

    service sshd restart
  2. Switch to DEFAULT profile and connect to the server 
    update-crypto-policies --set DEFAULT
    

    ssh -vv localhost 'echo CONNECTED' || echo "FAIL ssh DEFAULT"
  3. Switch to FUTURE profile and connect to the server 
    update-crypto-policies --set FUTURE
    

    ssh localhost 'echo CONNECTED' && echo "FAIL ssh FUTURE"
  4. Restore original settings 
    cp -f sshd_config.bak /etc/ssh/sshd_config
    

    rm -f sshd_config.bak
    

    service sshd restart

Expected Results

  1. sshd server starts successfully
  2. connection is established - CONNECTED is printed
  3. connection is NOT established
  4. sshd server starts successfully with original configuration



Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_CryptoPolicies_openssh&oldid=489609"