--- /dev/null
+\documentclass[xcolor={dvipsnames,table},graphicx,parskip]{beamer}
+
+\usepackage[ngerman]{babel}
+\usepackage[utf8]{inputenc}
+\usepackage{bytefield}
+
+\usepackage{textpos}
+\usepackage{pgfpages} %für notizen in Slides
+\usepackage{tcolorbox}%runde colorboxen \usepackage{textpos}
+\usepackage{stmaryrd} % \shortrightarrow
+\usepackage[final]{qrcode}%für qrcodes
+
+\usepackage{hyperref}
+
+%\usepackage{showkeys}
+
+\uselanguage{German}
+\languagepath{German}
+
+
+\mode<handout>{%
+ \setbeameroption{show notes}
+ %\setbeamerfont{note page}{size=\large}
+ %\setbeameroption{show notes on second screen=bottom}
+ \setbeamertemplate{note page}{%
+ \vspace{1cm}
+ weitere Informationen:\\
+ \vskip.25em
+ \nointerlineskip
+ {\Large \insertframetitle}
+ \vskip.25em
+ {\Large\insertframesubtitle}
+ \vskip.25em
+ %\vspace{1cm}\\
+ \insertnote}
+}
+
+\mode<beamer>{%
+\setbeamerfont{note page}{size=\huge}
+\setbeameroption{show notes on second screen=bottom}
+}
+
+\usetheme[hideothersubsections,left]{Goettingen}
+
+%\definecolor{hellblau}{RGB}{61, 165, 217}
+\definecolor{kuerzung}{RGB}{254, 198, 1}
+\definecolor{orange}{RGB}{234, 155, 23}
+\definecolor{dunkelblau}{RGB}{11, 12, 93}
+\definecolor{gruen}{RGB}{137, 252, 0}
+\definecolor{gruendunkel}{RGB}{172, 210, 237}
+\definecolor{titelblau}{RGB}{21, 59, 80}
+\definecolor{blau}{rgb}{0.7, 0.99, 0.99}
+\definecolor{coolblack}{rgb}{0.0, 0.18, 0.39}
+\definecolor{DarkGreen}{rgb}{0.0, 0.6, 0.0}
+\definecolor{ao}{rgb}{0.12, 0.3, 0.17}
+\definecolor{realRFC}{rgb}{0.1, 0.1, 0.44}
+\definecolor{witzRFC}{rgb}{0.01, 0.75, 0.24}
+\definecolor{prefix}{rgb}{0.5, 0.5, 0.0}
+\definecolor{IID}{rgb}{0.56, 0.0, 1.0}
+\definecolor{CIDR}{rgb}{0.0, 0.29, 0.29}
+
+\graphicspath{{Bilder/}}
+
+% minted Optionen
+\usepackage{lineno}
+\usepackage[newfloat]{minted}
+\usemintedstyle{friendly}
+\usemintedstyle[sourcelist,linux-config]{autumn}
+\usemintedstyle[console]{staroffice}
+\usemintedstyle[bash]{pastie}
+
+\setminted[bash]{
+ breaklines=true,
+ tabsize=2,
+ linenos,
+ numbersep=2pt,
+ autogobble,
+ framesep=0pt
+}
+
+\setminted[linux-config]{
+ breaklines=true,
+ linenos,
+ numbersep=2pt,
+ autogobble,
+ framesep=0pt
+}
+
+\setminted[console]{
+ breaklines=true,
+ linenos,
+ numbersep=2pt,
+ autogobble,
+ framesep=0pt
+}
+
+
+\setbeamercovered{transparent}
+\useoutertheme{sidebar}
+\useinnertheme{rounded}
+
+%um descripten links auszurichten
+\defbeamertemplate{description item}{align left}{\insertdescriptionitem\hfill}
+\setbeamertemplate{description item}[align left]
+
+\begin{document}
+
+%Beispiel Farb Definition
+\setbeamercolor{block title example}{use=example text,fg=example text.fg,bg=example text.fg!20!bg}
+\setbeamercolor{block body example}{parent=normal text,use=block title example,bg=block title example.bg!50!bg}
+%DefintionsBlock Farbspezification
+\setbeamercolor{block title}{use=structure text,fg=blue,bg=example text.fg!20!bg}
+\setbeamercolor{block body}{parent=normal text,use=block title example,bg=block title example.bg!50!bg}
+
+
+\setbeamertemplate{frametitle}[default][center]
+
+\setbeamertemplate{navigation symbols}{}
+\setbeamertemplate{page number in head/foot}[totalframenumber]
+
+% fußzeilen Definition
+\setbeamertemplate{footline}{\vspace*{-20pt} \leavevmode%
+ \hbox{%
+ \hspace{2cm} \colorbox{white}{\color{black}
+ \textcolor{black}{\insertdate} \hspace{1.5cm} \insertshortauthor \hspace{4cm} \insertframenumber \quad von \inserttotalframenumber \hspace{1cm} }}}
+
+\setbeamertemplate{itemize items}[triangle]
+\setbeamertemplate{page number in foot}[totalframenumber]
+
+% % sidebarsetting
+
+\setbeamertemplate{sidebar canvas left}[vertical shading][top=ao,middle=titelblau,bottom=DarkGreen]
+\setbeamercolor{section in sidebar shaded}{fg=yellow}
+\setbeamercolor{author in sidebar}{fg=ao}
+\setbeamercolor{title in sidebar}{fg=white}
+
+% Sidebar Farben normal
+\setbeamercolor{section in sidebar shaded}{fg=blau}
+\setbeamercolor{subsection in sidebar shaded}{fg=Yellow}
+\setbeamercolor{subsubsection in sidebar shaded}{fg=SpringGreen}
+
+%Sidebar Farben aktiviert
+\setbeamercolor*{palette sidebar primary}{fg=YellowOrange}
+\setbeamercolor*{palette sidebar secondary}{fg=YellowOrange}
+
+\setbeamercolor{titlelike}{fg=white, bg=titelblau}
+
+% %itemsetting
+\setbeamercolor{item}{fg=blue}%color of bullet
+\setbeamercolor{subitem}{fg=orange}%color of bullet
+
+%inhaltsverzeichniss
+
+\setbeamercolor{section in toc}{fg=blue}%, bg=black}
+\setbeamercolor{subsection in toc}{fg=DarkGreen}
+\setbeamercolor{subsubsection in toc}{fg=teal}
+\setbeamertemplate{sections/subsections in toc}[triangle]
+
+%\setbeamertemplate{blocks}[rounded]
+\setbeamertemplate{title page}[default][colsep=-4bp,rounded=true]
+
+%Background
+\setbeamercolor{background canvas}{bg=white}
+
+\setbeamertemplate{background}{%
+ \includegraphics[height=\paperheight]{hacker2.jpg}}
+
+%Titel definition
+\title[Crypto-Policies]{Crypto-Policies}
+\subtitle{one Tool to rule all Crypto in Linux}
+\author[Bücherratten]{\textbf{Bücherratten}\\\texttt{ratten@buecherratten.in-berlin.de}}
+\institute{\textbf{37C3}}
+
+\date{Dezember 2023}
+
+% Titlepage Farben setzen
+\setbeamercolor{date}{fg=orange}
+\setbeamercolor{author}{fg=orange}
+\setbeamercolor{institute}{fg=orange}
+
+%\titlegraphic{\includegraphics[scale=0.3]{hacker.jpg}}
+
+%sitebar leer setzten
+\setbeamertemplate{sidebar left}{}
+
+%titlepage ohne sidebar
+\makeatletter
+\begin{frame}[plain]
+ \hspace*{-\beamer@sidebarwidth}%
+ \advance\textwidth by \beamer@sidebarwidth\relax
+ \beamer@sidebarwidth=\z@
+ \begin{minipage}{\textwidth}
+ \vspace{1cm}
+ \maketitle
+ \end{minipage}
+ \footnote{\textcolor{orange}{Bild von \href{https://pixabay.com/de/users/thedigitalartist-202249/?utm_source=link-attribution&utm_medium=referral&utm_campaign=image&utm_content=2300772}{Pete Linforth} auf \href{https://pixabay.com/de//?utm_source=link-attribution&utm_medium=referral&utm_campaign=image&utm_content=2300772}{Pixabay}}}
+
+\end{frame}
+\makeatother
+\setbeamertemplate{background}
+
+\begin{frame}
+ \frametitle{Inhalt}
+ \textbf{\tableofcontents}%[hideothersubsections]}
+ \vspace{0.4cm}
+ \note{Abfrage: Wer von euch musste letztens die Probleme von den Kollegen lösen?}
+\end{frame}
+
+%sidebar wiederherstellen
+\setbeamertemplate{sidebar left}[sidebar theme]
+
+\section{Problemstellung}
+
+%\setbeamertemplate{blocks}[rounded][shadow=true]
+\setbeamercolor{Kollege}{bg=DarkGreen}
+\setbeamercolor{Azubi}{bg=teal}
+\setbeamercolor{eingabe}{bg=gray}
+\subsection{Der SSH Fehler}
+\begin{frame}<beamer>[t]
+ \frametitle{Die Fehler Beschreibung}
+ \only<1-4>{\begin{beamercolorbox}[wd=0.9\textwidth,left,rounded=true]{Kollege}
+ Ich kann mich nicht mehr mit meinem SSH-key mit den RHEL8-Servern verbinden, kannst du mal rauskriegen woran das liegt? Du magst doch SSH.
+ \end{beamercolorbox}}
+ \only<2-5>{\quad\quad\begin{beamercolorbox}[wd=0.9\textwidth,right,rounded=true]{Azubi}
+ Klar\\
+ Was hast du für nen SSH-key?\\
+ Wie lautet die Fehlermeldung?
+ \end{beamercolorbox}}
+ \only<3-6>{\begin{beamercolorbox}[wd=0.9\textwidth,left,rounded=true]{Kollege}
+ Ich hab nen normalen RSA-SSH-key und ich hab keine Fehlermeldung, es kommt nur die Passwort-Abfrage von dem Server
+ \end{beamercolorbox}}
+ \only<4-7>{\quad\quad\begin{beamercolorbox}[wd=0.9\textwidth,right,rounded=true]{Azubi}
+ Wie viele bits hat den dein RSA?\\
+ Hast du mal \mintinline{bash}{ssh -v user@Server} oder \mintinline{bash}{ssh -oisdfhusiduh user@Server} versucht?
+ \end{beamercolorbox}}
+ \only<5-7>{\begin{beamercolorbox}[wd=0.9\textwidth,left,rounded=true]{Kollege}
+ Na die default Größe und ich benutze Putty
+ \end{beamercolorbox}}
+ \only<6->{\quad\quad\begin{beamercolorbox}[wd=0.9\textwidth,right,rounded=true]{Azubi}
+ Ich schau es mir an \dots
+ \end{beamercolorbox}}
+ \only<7->{\begin{beamercolorbox}[wd=0.9\textwidth,left,rounded=true]{Kollege}
+ Aber deine Lösung muss idempotent sein und mit Ansible umsetzbar
+ \end{beamercolorbox}}
+\begin{beamercolorbox}[wd=\textwidth,left,rounded=true]{eingabe}
+ \dots
+\end{beamercolorbox}
+\end{frame}
+
+\begin{frame}<handout>
+ \frametitle{Die Fehler Beschreibung}
+ \begin{beamercolorbox}[wd=0.9\textwidth,left,rounded=true]{Kollege}
+ Ich kann mich nicht mehr mit meinem SSH-key mit den RHEL8-Servern verbinden, kannst du mal rauskriegen woran das liegt? Du magst doch SSH.
+ \end{beamercolorbox}
+ \quad\quad\begin{beamercolorbox}[wd=0.9\textwidth,right,rounded=true]{Azubi}
+ Ich schau es mir an \dots
+ \end{beamercolorbox}
+ \begin{beamercolorbox}[wd=0.9\textwidth,left,rounded=true]{Kollege}
+ Aber deine Lösung muss idempotent sein und mit Ansible umsetzbar
+ \end{beamercolorbox}
+ \begin{beamercolorbox}[wd=\textwidth,left,rounded=true]{eingabe}
+ \dots
+ \end{beamercolorbox}
+\end{frame}
+
+\setbeamercovered{transparent}
+%\setbeamertemplate{blocks}[rounded][shadow=false]
+\subsection{whoami}
+ \begin{frame}
+ \frametitle{whoami}
+ \begin{itemize}
+ \item{Bücherratten}
+ \item{39 Jahre}
+ \item{Pronomen: sie}
+ \item{Berufsbezeichnung: Fachinformatikerin für Systemintegration}
+ \item{Berufliches Themenfeld: Automatisierung mit Ansible}
+ \item{Linuxerin seit Kernel 2.6.24 (2009)}
+ \item{Zugehörigkeiten zu: Haecksen, LinuxWorks!, BeLUG, FSFE}
+ \end{itemize}
+ URL zu Folien und Handout:
+ \vspace{0.2cm}
+ \begin{columns}
+ \only<beamer>{\begin{column}{0.2\textwidth}
+ \qrcode[hyperlink,height=1.5cm]{http://git.tuxteam.de/gitweb/?p=susannes-git/Crypto-Policy-Vortrag.git;a=tree}
+ \end{column}}
+ \begin{column}{0.8\textwidth}
+ \url{http://git.tuxteam.de/gitweb/?p=susannes-git/Crypto-Policy-Vortrag.git;a=tree}
+ \end{column}
+ \end{columns}
+\end{frame}
+\setbeamercovered{invisible}
+ \section{Einführung Crypto-Policies}
+ \subsection{bisherige Kryptographie Einstellungen}
+
+\begin{frame}
+ \frametitle{Krytpographie im System bisheriger Stand}
+ \framesubtitle{Abfrage}
+ Wer von euch:
+ \begin{itemize}
+ \item{hat den Überblick über alle Konfigurationsmöglichkeiten?}
+ \pause
+ \item{ist der Meinung das die Konfigurations Optionen bezüglich Crypto einheitlich sind?}
+ \pause
+ \item{findet es easy mal eben Systemweit zB SHA1 auszuschalten?}
+ \end{itemize}
+\end{frame}
+
+\setbeamercovered{transparent}
+
+\begin{frame}[fragile]
+ \frametitle{Krytpographie im System bisheriger Stand}
+ \begin{itemize}
+ \item{jedes Tool hat eigene Crypto-Regeln}
+ \item{Crypto-Regeln in der Konfigurationsdatei des Tools definieren}
+ \end{itemize}
+ \pause
+ %\vspace{-0.3cm}
+ \begin{exampleblock}{Beispiel: SSH /etc/ssh/sshd.conf}
+ \begin{minted}{linux-config}
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
+KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256
+MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1
+ \end{minted}
+ \end{exampleblock}
+ \note{Wenn zB. ssh auf SHA1-Algorithmen verzichtet, bedeutet das nicht das OpenSSL, davon weiß und auch darauf verzichtet}
+\end{frame}
+
+\subsection{Die Idee hinter Crypto-Policies}
+
+\begin{frame}
+ \frametitle{Idee: ein Ort für Systemweite Crypto-Einstellungen}
+ \small{
+ \begin{itemize}
+ \item{alle Crypto für TLS, IPsec, SSH, DNSSec, Kerberos, etc. wird über ein systemweites Tool eingestellt}
+ \item{Die Cipher Suite wird an einem Ort konfiguriert und überschreibt die Tool-Konfiguration}
+ \item{Crypto-Einstellungen in Konfigurations-Dateien werden wirkungslos}
+ \item{leichter zu maintainen, zu updaten, anzupassen}
+ \item{bisher in Fedora, RHEL, CentOS, OpenSuse, Oracle Linux, Ubuntu, Debian-sid(testing), ...}
+ \item{Entwicklung:
+ \begin{columns}
+ \only<beamer>{\begin{column}{0.1\textwidth}
+ \qrcode[hyperlink,height=1cm]{https://gitlab.com/redhat-crypto/fedora-crypto-policies}
+ \end{column}}
+ \begin{column}{0.9\textwidth}
+ \url{https://gitlab.com/redhat-crypto/fedora-crypto-policies}
+ \end{column}
+ \end{columns}}
+ \item{Eigenentwicklung von RedHat, Idee findet jedoch Konsens in Community}
+ \end{itemize}
+ }
+ \vspace{0.5cm}
+\end{frame}
+
+\subsection{Facts zu den Policies}
+\begin{frame}
+ \frametitle{One tool to rule them all}
+ \small{
+ Wofür können Crypto-policies momentan verwendet werden:
+ \begin{itemize}
+ \item{libssh SSH2 protocol implementation (scopes: libssh, SSH)}
+ \item{sequoia PGP, outside of rpm-sequoia (scopes: sequoia)}
+ \item{rpm-sequoia PGP backend (scopes: rpm, rpm-sequoia)}
+ \item{BIND DNS (scopes: BIND, DNSSec)}
+ \item{GnuTLS (scopes: GnuTLS, SSL, TLS)}
+ \item{Kerberos 5 (scopes: krb5, Kerberos)}
+ \item{Libreswan IPsec and IKE protocol implementation (scopes: libreswan, IPSec, IKE)}
+ \item{NSS TLS library (scopes: NSS, SSL, TLS)}
+ \item{OpenJDK runtime environment (scopes: java-tls, SSL, TLS)}
+ \item{OpenSSH SSH2 (scopes: OpenSSH, SSH)}
+ \item{OpenSSL TLS library (scopes: OpenSSL, SSL, TLS)}
+ \end{itemize}}
+ weitere Libraries sind in aktiver Entwicklung.
+ \vspace{0.5cm}
+ \note{Crypto-Policies nutzen die Bibliotheken der Tools im Fall von SSH sind das libssh und OpenSSH als Optionen für Scopes.}
+\end{frame}
+
+\begin{frame}
+ \frametitle{Arten von Policies}
+ \framesubtitle{Grob Überblick}
+ \begin{description}
+ \item[LEGACY] kompatibel mit RHEL 5
+ \item[FUTURE] Vorhersage zu zukünftigen Bedrohungen *\textsuperscript{1}
+ \item[BSI] nach BSI Standardisierung TR-02102-2 (bisher erst in Fedora?) *\textsuperscript{2}
+ \item[FIPS] genügt FIPS 140 Anforderungen *\textsuperscript{3}
+ \item[DEFAULT]
+ \item[EMPTY] für Debugging deaktiviert alle Crypto
+ \end{description}
+ \pause
+ *\textsuperscript{1} fun fakt: Die RedHat Customer Portal API kann zur Zeit noch nicht mit Future.\\
+ \pause
+ *\textsuperscript{2} \url{https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/blob/master/policies/BSI.pol}
+ \note{*\textsuperscript{3} Amerikanische Zertifizierung für Kryptographie bezieht sich auf die Kryptographischen Teile eines Produkts im Gegensatz dazu CC (Common Criteria for Information Technology Security Evaluation) ist das Europäische Gegenstück bezieht sich auf Sicherheitsbezogene Themen nach ISO 15408}
+\end{frame}
+
+\begin{frame}[fragile]
+ \frametitle{Policies anzeigen und setzen}
+ \vspace{-0.5cm}
+ \begin{itemize}
+ \item{anzeigen: \mintinline{bash}{update-crypto-policies --show}}
+ \item{ändern: \mintinline{bash}{update-crypto-policies --set FUTURE:NO-SHA1}}
+ \begin{itemize}
+ \item{setzt die systemweiten Policies auf Future}
+ \item{unabhängig davon welche vorher aktiv war}
+ \item{Module dazu geladen: mit Doppelpunkt trennen, auch mehrfach}
+ \item{sind symbolische links von /etc/crypto-policies/back-ends nach /usr/share/crypto-policies.}
+ \item{generiert Backend Konfigurations-Dateien}
+ \end{itemize}
+ \item{deaktivieren}
+ \begin{itemize}
+ \item{Bei SSH über eine Variable in der Konfigurationsdatei (sshd.config) als opt-out}
+ \item{über die CLI mit cipher Optionen}
+ \end{itemize}
+ \item{nach Änderungen an den Policies wird ein Neustart empfohlen, weil evtl. viele Services betroffen sind}
+ \end{itemize}
+\end{frame}
+
+\section{Problemlösungsweg}
+
+\subsection{Lösungsweg}
+\begin{frame}[fragile]
+ \frametitle{erster Lösungsweg}
+ \framesubtitle{Was läuft hier?}
+ \begin{itemize}
+ \item{\mintinline{bash}{ssh -o } wird benötigt}
+ \pause
+ \item{Algorithmus-Änderungen in /etc/ssh/sshd\_config ohne Effekt}
+ \pause
+ \item{sshd-Unit?}
+\begin{minted}[fontsize=\footnotesize,breakanywhere,escapeinside=||]{console}
+[root@crypt-arbeit8 ~]# systemctl status sshd
+* sshd.service - OpenSSH server daemon
+ Loaded: loaded (/usr/lib/systemd/system/sshd.service)
+ Active: active (running) since 6min ago
+ Docs: man:sshd(8)
+ man:sshd_config(5)
+ Main PID: 669 (sshd)
+ Tasks: 1 (limit: 11160)
+ Memory: 6.4M
+ CGroup: /system.slice/sshd.service
+ \-669 /usr/sbin/sshd -D |\colorbox{green}{-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2}|
+\end{minted}
+ \end{itemize}
+\end{frame}
+
+\begin{frame}[fragile]
+ \frametitle{erster Lösungsweg}
+ \framesubtitle{die mysteriöse Variable}
+ \begin{itemize}
+ \item{die Service Unit /usr/lib/systemd/system/sshd.service}
+ \begin{minted}[fontsize=\footnotesize,escapeinside=||]{linux-config}
+[Unit]
+Description=OpenSSH server daemon
+Documentation=man:sshd(8) man:sshd_config(5)
+After=network.target sshd-keygen.target
+Wants=sshd-keygen.target
+[Service]
+Type=notify
+EnvironmentFile=|\colorbox{green}{-/etc/crypto-policies/back-ends/opensshserver.config}|
+EnvironmentFile=-/etc/sysconfig/sshd
+ExecStart=/usr/sbin/sshd -D $OPTIONS |\colorbox{green}{\$CRYPTO\_POLICY}|
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=42s
+[Install]
+WantedBy=multi-user.target
+ \end{minted}
+ \end{itemize}
+ \note{Realisiert werden Policies darüber, das die Variabel CRYPTOPOLICY beim Aufruf der Systemd Unit gefüllt werden}
+\end{frame}
+
+\begin{frame}[fragile]
+ \frametitle{erster Lösungsweg}
+ \framesubtitle{das Backend}
+ \begin{itemize}
+ \item{\mintinline{bash}{update-crypto-policies --show}}
+ \item{FIPS}
+ \pause
+ \item{/etc/crypto-policies/back-ends/opensshserver.config bearbeitet}
+ \begin{minted}[fontsize=\footnotesize,breakanywhere]{linux-config}
+CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512'
+ \end{minted}
+ \end{itemize}
+ \note{Einstellungen im Backend halten bis zum Reboot}
+\end{frame}
+
+\subsection{Versprechung oder Werbung?}
+
+\begin{frame}[fragile]
+ \frametitle{Umfrage}
+ \framesubtitle{Eurer Meinung nach...}
+ Eine Man Page
+ \begin{itemize}
+ \item{ist die single source of truth um zu wissen was ein Programm kann, bzw nicht kann}
+ \pause
+ \item{stellt die ideale Funktionsweise einen Programms dar}
+ \pause
+ \item{ist der perfekte Ort um CLI-Nerds (rtfm) mit Werbung für ein Programm zu versorgen}
+ \pause
+ \item{enthält Programm Features, die noch nicht im Programm integiert sind}
+ \pause
+ \item{ist ein farbelhaftes Versprechen was ein Programm alles für Funktionen hat}
+ \pause
+ \item{ist keine Anleitung zu dem Programm}
+ \end{itemize}
+\end{frame}
+
+\begin{frame}[fragile]
+ \frametitle{Crypto-Policy Man-Page}
+ \vspace{-0.5cm}
+ \begin{minted}[fontsize=\scriptsize,escapeinside=||]{linux-config}
+ PROVIDED POLICIES
+ DEFAULT
+ The DEFAULT policy is a reasonable default policy for today's standards. It allows the TLS 1.2 and TLS 1.3 protocols, as well as IKEv2 and SSH2. The RSA and Diffie-Hellman parameters are accepted if larger than 2047 bits.
+ The level provides at least 112-bit security with the exception of SHA-1 signatures needed for DNSSec and other still prevalent legacy use of SHA-1 signatures.
+ - MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305 etc.)
+ - Curves: all prime >= 255 bits (including Bernstein curves)
+ - Signature algorithms: with SHA-1 hash or better (no DSA)
+ - TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20, including AES-CBC)
+ - non-TLS Ciphers: as TLS Ciphers with added Camellia
+ - key exchange: ECDHE, RSA, DHE (no DHE-DSS)
+ - DH params size: >= 2048
+ - |\colorbox{green}{RSA keys size: $>=$ 2048}|
+ - TLS protocols: TLS >= 1.2, DTLS >= 1.2
+ \end{minted}
+ \vspace{-0.1cm}
+ \pause
+ \color{red}{überprüfen wir das mal \dots}
+\end{frame}
+
+\begin{frame}<handout>[fragile]
+ \frametitle{ssh-key-size}
+ \framesubtitle{unter alma8}
+ \vspace{-0.2cm}
+ \begin{minted}[fontsize=\tiny,escapeinside=||]{console}
+sibille@Libelle:~$ ssh-copy-id -i ~/.ssh/crypt_1024rsa.pub root@crypt-arbeit8
+Number of key(s) added: 1
+sibille@Libelle:~$ ssh-copy-id -i ~/.ssh/crypt_2048rsa.pub root@crypt-arbeit8
+Number of key(s) added: 1
+sibille@Libelle:~$ ssh root@crypt-arbeit8
+root@crypt-arbeit8:# update-crypto-policies --show
+LEGACY
+root@crypt-arbeit8:# update-crypto-policies --set Default
+|\colorbox{green}{Setting system policy to DEFAULT}|
+root@crypt-arbeit8:# reboot
+sibille@Libelle:~$ ssh -i .ssh/crypt_1024rsa root@crypt-arbeit8 -v
+debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1
+debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
+debug1: Next authentication method: publickey
+debug1: Offering public key: .ssh/crypt_1024rsa RSA SHA256:hkpFBRW/y76PZlG903lf1POqZ90DQfFoRfpqFqD/BwY explicit
+|\colorbox{red}{debug1: Server accepts key: .ssh/crypt\_1024rsa RSA SHA256:hkpFBRW/y76PZlG903lf1POqZ90DQfFoRfpqFqD/BwY explicit}|
+debug1: Authentication succeeded (publickey).
+Authenticated to crypt-arbeit8 ([192.168.2.38]:22).
+root@crypt-arbeit8:~[root@crypt-arbeit8 ~]# exit
+logout
+ \end{minted}
+ \vspace{0.5cm}
+\end{frame}
+
+\begin{frame}<handout>[fragile]
+ \frametitle{ssh-key-size}
+ \framesubtitle{unter alma9}
+ \begin{minted}[fontsize=\tiny,escapeinside=||]{console}
+sibille@Libelle:~$ ssh-copy-id -i ~/.ssh/crypt_1024rsa.pub root@crypt-arbeit9
+Number of key(s) added: 1
+sibille@Libelle:~$ ssh-copy-id -i ~/.ssh/crypt_2048rsa.pub root@crypt-arbeit9
+Number of key(s) added: 1
+sibille@Libelle:~$ ssh root@crypt-arbeit9
+root@crypt-arbeit9:# update-crypto-policies --showypto-policies --show
+LEGACY
+root@crypt-arbeit9:# update-crypto-policies --set Defaultlicies --set Default
+|\colorbox{green}{Setting system policy to DEFAULT}|
+root@crypt-arbeit9:# reboot
+sibille@Libelle:~$ ssh -i .ssh/crypt_1024rsa root@crypt-arbeit9 -v
+debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1
+debug1: Offering public key: .ssh/crypt_1024rsa RSA SHA256:hkpFBRW/y76PZlG903lf1POqZ90DQfFoRfpqFqD/BwY explicit
+debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
+|\colorbox{green}{debug1: Next authentication method: password}|
+root@crypt-arbeit9's password:
+sibille@Libelle:~$ ssh -i .ssh/crypt_2048rsa root@crypt-arbeit9 -v
+debug1: Offering public key: .ssh/crypt_2048rsa RSA SHA256:g5pZruCXK0Ng2/xW37JDXqQrMCo/XLL4jfETuZNcMQs explicit
+|\colorbox{green}{debug1: Server accepts key: .ssh/crypt\_2048rsa RSA SHA256:g5pZruCXK0Ng2/xW37JDXqQrMCo/XLL4jfETuZNcMQs explicit}|
+debug1: Authentication succeeded (publickey).
+Authenticated to crypt-arbeit9 ([192.168.2.107]:22).
+ \end{minted}
+\end{frame}
+
+\begin{frame}
+ \frametitle{Versprechung oder Werbung?}
+ \framesubtitle{ssh-key-size}
+ \small{%
+ \begin{proof}\phantom{\qedhere}
+ AlmaLinux8 hat noch eine ältere ssh Version, diese kennt die Option \textcolor{red}{RequiredRSASize} noch nicht.
+ \begin{block}{Auszug aus der ssh manpage AlmaLinux9}
+ RequiredRSASize\\
+ Specifies the minimum RSA key size (in bits) that sshd(8) will accept. User and host-based authentication keys smaller than this limit will be refused. The default is 1024 bits. Note that this limit may only be raised from the default.
+ \end{block}
+ Dadurch sind die Optionen min\_rsa\_size in der Crypto-Policy für OpenSSH in AlmaLinux8 wirkungslos.
+ \end{proof}}
+ \pause
+ Nach Aussage von Red Hat, haben sie OpenSSH auf RHEL8 extra gepatched\dots \pause Ich hab einen Patch in Fedora 37 gefunden, in den Paketen von AlmaLinux und Rocky Linux jedoch nicht.
+ \note{In Alma- und Rocky Linux tritt der gleiche Fehler auf, jedoch nicht in Fedora 37}
+\end{frame}
+
+\section{Problemlösungs\-möglichkeiten}
+
+\subsection{Policy Hand made}
+
+\subsubsection{configuration Parameter}
+\begin{frame}
+ \frametitle{Konfigurations-Parameter}
+ \footnotesize{
+ möglich Parameter innerhalb von Konfigurationsdateien:
+ \begin{itemize}
+ \item{Liste erlaubter:}
+ \begin{description}
+ \item[mac:] MAC Algorithmen
+ \item[group:] Gruppen oder elliptic curves für key exchanges
+ \item[hash:] cryptographic hash (message digest)
+ \item[sign:] signature
+ \item[cipher:] symmetric encryption Algorithmen(inkl. modes)
+ \item[key\_exchange:] key exchange algorithms
+ \item[protocol:] TLS, DTLS and IKE Protokoll Versions.\\ einige Backends erlauben kein selektives deaktivieren von Protokoll Versionen
+ \end{description}
+\item{minimale Anzahl der Bits für:}
+ \begin{description}
+ \item[min\_dh\_size:] parameters for DH key exchange
+ \item[min\_dsa\_size:] DSA keys
+ \item[min\_rsa\_size:] RSA keys
+ \end{description}
+ \item{binärer Werte:}
+ \begin{description}
+ \item[sha1\_in\_certs:] 1 SHA1 erlaubt in certificate signatures
+ \item[arbitrary\_dh\_groups:] 1 arbitrary group in Diffie-Hellman erlaubt
+ \item[ssh\_certs:] 1 OpenSSH certificate authentication erlaubt,
+ \item[ssh\_etm:] 1 OpenSSH EtM (encrypt-then-mac) extension erlaubt
+ \end{description}
+ \end{itemize}}
+\end{frame}
+
+\begin{frame}
+ \frametitle{Konfigurations-Parameter}
+ \framesubtitle{auf Bereiche eingrenzen}
+ Konfiguration auf bestimmte Backends (scopes) eingrenzen
+ \begin{itemize}
+ \item{option@scope1,scope2 = ...}
+ \begin{itemize}
+ \item{\mintinline{linux-config}{cipher@SSH = -*-CBC}}
+ \end{itemize}
+ \item{negierung mit option@!scope}
+ \item{scope ist case-insensitive}
+ \item{scopes sind bevorzugte schreibweise}
+ \item{die Reihenfolge der Crypto ist wichtig, was zuerst steht wird priorisiert}
+ \item{Reihenfolge der Optionen ist vorgegeben}
+ \end{itemize}
+ \pause
+ wichtige scopes für ssh:
+ \begin{itemize}
+ \item{OpenSSH SSH2 (scopes: OpenSSH, SSH)}
+ \item{libssh SSH2 protocol implementation (scopes: libssh, SSH)}
+ \end{itemize}
+\end{frame}
+
+\subsubsection{policy Definition vom Scratch}
+\begin{frame}
+ \frametitle{Policy Definition Hand-Made}
+ \begin{itemize}
+ \item{im Ordner /etc/crypto-policies/policies oder /usr/share/crypto-policies/policies}
+ \item{Dateiname muss GROSS geschrieben werden}
+ \item{Dateiextention ist .pol}
+ \end{itemize}
+\end{frame}
+
+\begin{frame}[fragile,shrink]
+ \frametitle{policy from scratch}
+ \framesubtitle{Beispiel FIPS (stark gekürzt)}
+ \begin{minted}[fontsize=\scriptsize]{linux-config}
+mac = AEAD HMAC-SHA2-256 HMAC-SHA2-384
+group = SECP256R1 SECP384R1 SECP521R1 FFDHE-2048
+hash = SHA2-256 SHA2-384 SHA2-512 SHA2-224
+sign = ECDSA-SHA3-256 ECDSA-SHA2-256
+cipher = AES-256-GCM AES-256-CCM AES-256-CTR
+cipher@TLS = AES-256-GCM AES-256-CCM AES-128-GCM
+# Kerberos is an exception,
+#allow CBC CTS ciphers no other options
+cipher@Kerberos = AES-256-CBC AES-128-CBC
+key_exchange = ECDHE DHE DHE-RSA PSK DHE-PSK
+protocol@TLS = TLS1.3 TLS1.2 DTLS1.2
+protocol@IKE = IKEv2
+# Parameter sizes
+min_dh_size = 2048
+min_dsa_size = 2048 # DSA is disabled
+min_rsa_size = 2048
+# GnuTLS only for now
+sha1_in_certs = 0
+arbitrary_dh_groups = 1
+ssh_certs = 1
+ssh_etm = 1
+ \end{minted}
+ \vspace{-0.3cm}
+\end{frame}
+
+\subsubsection{Policy Module - Hand made}
+\begin{frame}
+ \frametitle{Mit Modulen bestehende Policies erweitern}
+ \begin{itemize}
+ \item{im Ordner /etc/crypto-policies/policies/modules oder /usr/share/crypto-policies/policies/modules}
+ \item{Dateiname muss GROSS geschrieben werden}
+ \item{Dateiextention ist .pmod }
+ \item{mit - (minus) Parameter entfernen}
+ \item{* ist wildcard}
+ \item{Konfiguration erlaubt (noch) vollständiges Überschreiben der key-exchange Parameter (von ECDHE keys)}
+ \end{itemize}
+\end{frame}
+
+\begin{frame}[fragile,shrink]
+ \frametitle{Policy-Module}
+ \framesubtitle{Beispiel AES-128-Module}
+ \begin{minted}{linux-config}
+# Disable the AES-128 cipher, all modes
+cipher = -AES-128-*
+
+# Disable CHACHA20-POLY1305 for the TLS protocol (OpenSSL, GnuTLS, NSS, and OpenJDK)
+cipher@TLS = -CHACHA20-POLY1305
+
+# Allow using the FFDHE-1024 group with the SSH protocol (libssh and OpenSSH)
+group@SSH = FFDHE-1024+
+
+# Disable all CBC mode ciphers for the SSH protocol (libssh and OpenSSH)
+cipher@SSH = -*-CBC
+# Allow the AES-256-CBC cipher in applications using libssh
+cipher@libssh = AES-256-CBC+
+ \end{minted}
+ \vspace{0.5cm}
+\end{frame}
+
+\subsection{Crypto-Policies und Ansible}
+\begin{frame}[shrink]
+ \frametitle{Ansible-Role: Crypto-Policies}
+ Rolle: \textcolor{red}{linux-system-roles.crypto\_policies}\\
+ \vspace{-0.3cm}
+ \begin{columns}
+ \only<beamer>{\begin{column}{0.1\textwidth}
+ \qrcode[hyperlink,height=1cm]{https://galaxy.ansible.com/linux-system-roles/crypto_policies}
+ \end{column}}
+ \begin{column}{0.9\textwidth}
+ \url{https://galaxy.ansible.com/linux-system-roles/crypto_policies}
+ \end{column}
+ \end{columns}
+ Variablen:
+ \begin{description}
+ \item[crypto\_policies\_policy] Spezifizierung der Policy und Module
+ \item[crypto\_policies\_available\_policies] Liste der vorhandenen Policies
+ \item[crypto\_policies\_available\_subpolicies] Liste der vorhanden Module
+ \item[crypto\_policies\_reload] ob direkt nach dem Setzen der Policy die Services neu gestartet werden
+ \item[crypto\_policies\_reboot\_ok] ob das System neu gestartet wird
+ \item[crypto\_policies\_reboot\_required] wird von der Rolle gesetzt wenn Neustart des Systems erforderlich
+ \end{description}
+ \pause
+ Was die Rolle noch nicht kann:
+ \begin{itemize}
+ \item{Customized Module erstellen}
+ \item{Customized Policies erstellen}
+ \end{itemize}
+ \vspace{0.5cm}
+\end{frame}
+
+\begin{frame}[fragile]
+ \frametitle{Ansible-Role: Crypto-Policies}
+ \framesubtitle{Beispiel-Playbook}
+ \begin{minted}[linenos,numbersep=2pt]{yaml}
+- name: Manage crypto policies
+ hosts: all
+ roles:
+ role: linux-system-roles.crypto_policies
+ vars:
+ crypto_policies_policy: "DEFAULT:NO-SHA1"
+ crypto_policies_reload: false
+ \end{minted}
+ Ist das gleiche wie:
+ \begin{minted}{bash}
+ update-crypto-policies --set DEFAULT:NO-SHA1
+ \end{minted}
+\end{frame}
+
+\section{Ende}
+\begin{frame}
+ \frametitle{Resoucen zum Recherchieren}
+ \begin{itemize}
+ \item{man crypto-policies}
+ \item{man update-crypto-policies}
+ \item{Vorträge:}
+ \begin{itemize}
+ \item{\url{https://www.youtube.com/watch?v=NLSm8Kqd5N0}}
+ \item{\url{https://ftp.belnet.be/mirror/FOSDEM/video/2020/UA2.114/security_custom_crypto_policies.webm}}
+ \end{itemize}
+ \item{interaktives Lab:
+ \begin{columns}
+ \only<beamer>{\begin{column}{0.1\textwidth}
+ \qrcode[hyperlink,height=1cm]{https://www.redhat.com/en/interactive-labs/customize-system-wide-cryptographic-policy}
+ \end{column}}
+ \begin{column}{0.9\textwidth}
+ \url{https://www.redhat.com/en/interactive-labs/customize-system-wide-cryptographic-policy}
+ \end{column}
+ \end{columns}}
+ \item{Entwicklungs Repo:
+ \begin{columns}
+ \only<beamer>{\begin{column}{0.1\textwidth}
+ \qrcode[hyperlink,height=1cm]{https://gitlab.com/redhat-crypto/fedora-crypto-policies/}
+ \end{column}}
+ \begin{column}{0.9\textwidth}
+ \url{https://gitlab.com/redhat-crypto/fedora-crypto-policies/}
+ \end{column}
+ \end{columns}}
+ \end{itemize}
+\end{frame}
+
+\begin{frame}<beamer>
+ \frametitle{Ende}
+ \begin{center}
+ \Huge{Danke fürs zuhören und mitmachen!}\\
+ Gibt es noch Fragen?
+ \vspace{0.5cm}\\
+ \normalsize{Bücherratten}
+ \end{center}
+ \vspace{-0.5cm}
+ \begin{columns}
+ \only<beamer>{\begin{column}{0.2\textwidth}
+ \qrcode[hyperlink,height=1.5cm,nolink]{ratten@buecherratten.in-berlin.de}
+ \end{column}}
+ \begin{column}{0.8\textwidth}
+ ratten@buecherratten.in-berlin.de
+ \end{column}
+ \end{columns}
+ URL zu Folien und Handout:
+ \vspace{0.2cm}
+ \begin{columns}
+ \only<beamer>{\begin{column}{0.2\textwidth}
+ \qrcode[hyperlink,height=1.5cm]{http://git.tuxteam.de/gitweb/?p=susannes-git/Crypto-Policy-Vortrag.git;a=tree}
+ \end{column}}
+ \begin{column}{0.8\textwidth}
+ \url{http://git.tuxteam.de/gitweb/?p=susannes-git/Crypto-Policy-Vortrag.git;a=tree}
+ \end{column}
+ \end{columns}
+\end{frame}
+
+\section{Handout}
+\subsection{policies overview}
+\begin{frame}<beamer:0>
+ \frametitle{Welche Policies gibt es?}
+ \framesubtitle{LEGACY}
+ \vspace{-0.2cm}
+ \scriptsize{
+ \begin{block}{LEGACY}
+ \begin{itemize}
+ \item{maximale Kompatibilität mit älteren Systemen}
+ \item{weniger sicher}
+ \item{Support für TLS 1.0, TLS 1.1, und SSH2}
+ \item{erlaubt DSA und 3DES}
+ \item{RSA and Diffie-Hellman Parameter $>$ 1024 Bit}
+ \item{mindestens 64-bit Sicherheit}
+ \end{itemize}
+ \vspace{-0.2cm}
+ \begin{description}
+ \item[MACs:] all HMAC with SHA-1 or $>$ + all modern MACs (Poly1305 etc.)
+ \item[Curves:] all prime $>=$ 255 bits (including Bernstein curves)
+ \item[Signature algorithms:] with SHA1 hash or better (DSA allowed)
+ \item[TLS Ciphers:] all $>=$ 112-bit key, $>=$ 128-bit block (incl. 3DES, no RC4)
+ \item[Non-TLS Ciphers:] same as TLS ciphers with added Camellia
+ \item[Key exchange:] ECDHE, RSA, DHE
+ \item[DH params size:] $>=$ 1023
+ \item[RSA keys size:] $>=$ 1023
+ \item[DSA params size:] $>=$ 1023
+ \item[TLS protocols:] TLS $>=$ 1.0, DTLS $>=$ 1.0
+ \end{description}
+ \end{block}
+ }
+ \vspace{0.5cm}
+\end{frame}
+
+\begin{frame}<beamer:0>
+ \frametitle{Welche Policies gibt es?}
+ \framesubtitle{DEFAULT}
+ \scriptsize{
+ \begin{block}{DEFAULT}
+ \begin{itemize}
+ \item{ist heutiger Standard}
+ \item{erlaubt TLS 1.2, TLS 1.3, IKEv2 und SSH2}
+ \item{akzeptiert Diffie-Hellman Parameter $>$ 2048 Bits}
+ \item{mindestens 112-Bit Sicherheit}
+ \item{Ausnahmsweise sind SHA-1 Signaturen in DNSSec erlaubt}
+ \end{itemize}
+ \begin{description}
+ \item[MACs:] all HMAC with SHA-1 or better + all modern MACs (Poly1305 etc.)
+ \item[Curves:] all prime $>=$ 255 bits (including Bernstein curves)
+ \item[Signature algorithms:] with SHA-1 hash or better (no DSA)
+ \item[TLS Ciphers:] $>=$ 128-bit key, $>=$ 128-bit block (AES, ChaCha20, including AES-CBC)
+ \item[non-TLS Ciphers:] as TLS Ciphers with added Camellia
+ \item[key exchange:] ECDHE, RSA, DHE (no DHE-DSS)
+ \item[DH params size:] $>=$ 2048
+ \item[RSA keys size:] $>=$ 2048
+ \item[TLS protocols:] TLS $>=$ 1.2, DTLS $>=$ 1.2
+ \end{description}
+ \end{block}
+ }
+ \vspace{0.5cm}
+\end{frame}
+
+\begin{frame}<beamer:0>
+ \frametitle{Welche Policies gibt es?}
+ \framesubtitle{FUTURE}
+ \tiny{
+ \begin{block}{FUTURE}
+ \begin{itemize}
+ \item{Konservative Policy}
+ \item{Vermutung, das sie zukünftigen Angriffen widersteht, auf Kosten der Kompatibilität}
+ \item{es kann Kommunikation mit vielen Systemen verhindern, die schwächere Kryptographie verwenden}
+ \item{ es sind keine SHA-1 in Signaturen erlaubt}
+ \item{es wird eine (unvollständige) Post-Quanten Kryptographie unterstützt}
+ \item{Unterstützung von 256-Bit symmetrischer Verschlüsselung}
+ \item{RSA and Diffie-Hellman Parameter länger als 3071 Bits}
+ \item{mindestens 128-Bit Sicherheit}
+ \end{itemize}
+ \begin{description}
+ \item[MACs:] all HMAC with SHA-256 or $>$ + all modern MACs (Poly1305 etc.)
+ \item[Curves:] all prime $>=$ 255 bits (including Bernstein curves)
+ \item[Signature algorithms:] with SHA-256 hash or better (no DSA)
+ \item[TLS Ciphers:] $>=$ 256-bit key, $>=$ 128-bit block, only Authenticated Encryption (AE) ciphers, no CBC ciphers
+ \item[non-TLS Ciphers:] same as TLS ciphers with added non AE ciphers, CBC ones enabled only in Kerberos
+ \item[key exchange:] ECDHE, DHE (no DHE-DSS, no RSA)
+ \item[DH params size:] $>=$ 3072
+ \item[RSA keys size:] $>=$ 3072
+ \item[TLS protocols:] TLS $>=$ 1.2, DTLS $>=$ 1.2
+ \end{description}
+ \end{block}
+ }
+ \vspace{0.5cm}
+\end{frame}
+
+\begin{frame}<beamer:0>
+ \frametitle{Welche Policies gibt es?}
+ \framesubtitle{FIPS}
+ \scriptsize{
+\begin{block}{FIPS}
+ \begin{itemize}
+ \item{Kompatible zu den FIPS 140-2 Voraussetzungen}
+ \item{wird für fips-mode-setup verwendet}
+ \item{bietet mindestens 112-Bit Sicherheit}
+ \end{itemize}
+ \begin{description}
+ \item[MACs:] all HMAC with SHA1 or better
+ \item[Curves:] all prime $>=$ 256 bits
+ \item[Signature algorithms:] with SHA-256 hash or better (no DSA)
+ \item[TLS Ciphers:] $>=$ 128-bit key, $>=$ 128-bit block (AES, including AES-CBC)
+ \item[non-TLS Ciphers:] same as TLS Ciphers
+ \item[key exchange:] ECDHE, DHE (no DHE-DSS, no RSA)
+ \item[DH params size:] $>=$ 2048
+ \item[RSA params size:] $>=$ 2048
+ \item[TLS protocols:] TLS $>=$ 1.2, DTLS $>=$ 1.2
+ \end{description}
+\end{block}
+ }
+ \vspace{0.5cm}
+\end{frame}
+
+\begin{frame}<beamer:0>
+ \frametitle{Die BSI-Policy}
+ \tiny{
+ \begin{block}{BSI}
+ \begin{itemize}
+ \item{Author: Marcus Meissner von OpenSuse}
+ \item{Grundlage des BSI Standarts TR 02102 \url{https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.html}}
+ \item{Empfehlungen des BSI werden regelmäßig geupdated}
+ \item{unvollständige Unterstützung für Post-Quanten Kryptographie}
+ \item{128 Bit Sicherheit (ausser RSA)}
+ \item{erlaubt kein SHA1 (auser DNSSEC und RPM)}
+ \item{Beachtet Chacha20 and Camellia werden nicht vom BSI empfohlen}
+ \end{itemize}
+ \begin{description}
+ \item[MACs:] all HMAC with SHA-256 or better + all modern MACs
+ \item[Curves:] all prime $>=$ 255 bits (including Bernstein curves)
+ \item[Signature algorithms:] with SHA-256 hash or better (no DSA)
+ \item[TLS Ciphers:] $>=$ 256-bit key, $>=$ 128-bit block, only Authenticated
+ \item[Encryption] (AE) ciphers
+ \item[non-TLS Ciphers:] same as TLS ciphers with added non AE ciphers
+ \item[key exchange:] ECDHE, DHE (no DHE-DSS, no RSA)
+ \item[DH params size:] $>=$ 3072
+ \item[RSA keys size:] $>=$ 2048 (until end of 2023, then it will switch to 3072)
+ \item[TLS protocols:] TLS $>=$ 1.2, DTLS $>=$ 1.2
+ \end{description}
+ \end{block}
+ }
+\end{frame}
+
+\begin{frame}<beamer:0>
+ \frametitle{Welche Policies gibt es?}
+ \framesubtitle{NEXT und EMPTY}
+ \begin{block}{NEXT}
+ nur für Fedora, ähnlich wie RHEL-8 Default, daher Alias für Default
+ \end{block}
+\begin{block}{EMPTY}
+ Alle Kryptographischen Algorithmen sind deaktiviert, soll nur für Debugging genutzt werden
+\end{block}
+\end{frame}
+
+\begin{frame}<beamer:0>
+ \frametitle{Deaktivierte Cipher suites}
+ \begin{itemize}
+ \item{DH with parameters $<$ 1024 bits}
+ \item{RSA with key size $<$ 1024 bits}
+ \item{Camellia}
+ \item{RC4}
+ \item{ARIA}
+ \item{SEED}
+ \item{IDEA}
+ \item{TLS CBC mode ciphersuites using SHA-384 HMAC}
+ \item{AES-CCM8}
+ \item{all ECC curves incompatible with TLS 1.3, including secp256k1}
+ \item{IKEv1}
+ \end{itemize}
+ diese können jedoch aktiviert werden
+ \end{frame}
+
+\subsection{Konfigurations Dateien}
+\begin{frame}<beamer:0>
+ \frametitle{Konfigurations Dateien}
+ \scriptsize{
+ \begin{description}
+ \item[/etc/crypto-policies/back-ends] Back-End Config-Dateien, verlinkt zur Package Crypto-Policies, es sei den local.d -Konfiguration wurde hinzugefügt
+ \item[/etc/crypto-policies/config] Beinhaltet Namen der aktiven Cryto-Policies
+ \item[/etc/crypto-policies/local.d] weitere Konfiguration, entweder Package basierend, oder vom Admin erstellt. Die back-end.config wird angehängt, wie ausgeliefert, vom Packet.
+ \item[/usr/share/crypto-policies/policies] Policy Definitions Datei
+ \item[/usr/share/crypto-policies/policies/modules] Unter Definitions Dateien
+ \item[/etc/crypto-policies/policies] Änderungen der Policy-Definitionen des System Admins
+ \item[/etc/crypto-policies/policies/modules] Änderungen der Unter-Policy-Definitionen des System Admins
+ \item[/usr/share/crypto-policies/$<$POLICYNAME$>$] generierte Datei des back-ends für die Policy POLICYNAME
+ \end{description}
+ }
+ \vspace{0.5cm}
+\end{frame}
+
+
+\end{document}
--- /dev/null
+Script started on 2023-11-05 15:46:43+00:00 [TERM="xterm-256color" TTY="/dev/pts/0" COLUMNS="239" LINES="64"]
+\e[?2004h\e]0;sibille@Libelle: ~\a\e[01;32msibille@Libelle\e[00m:\e[01;34m~\e[00m$ ssh-key\agen -t rsa -b 1024 -f ~/.ssh/cr\aypt_1024rsa\r
+\e[?2004l\rGenerating public/private rsa key pair.\r
+Enter passphrase (empty for no passphrase): \r
+Enter same passphrase again: \r
+Your identification has been saved in /home/sibille/.ssh/crypt_1024rsa\r
+Your public key has been saved in /home/sibille/.ssh/crypt_1024rsa.pub\r
+The key fingerprint is:\r
+SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI sibille@Libelle\r
+The key's randomart image is:\r
++---[RSA 1024]----+\r
+| ooEo+oooooo |\r
+| . ..= . +oo. |\r
+| . . o..o |\r
+| ..oo... |\r
+| S o..+o..|\r
+| . . .+.|\r
+| +.. .o|\r
+| o++.o++|\r
+| .+*=++.O|\r
++----[SHA256]-----+\r
+\e[?2004h\e]0;sibille@Libelle: ~\a\e[01;32msibille@Libelle\e[00m:\e[01;34m~\e[00m$ ssh-copy-id -i ~/.ss\ah/cr\aypt_1\a024rsa.pub root@crypt-arbeit8\r
+\e[?2004l\r/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/sibille/.ssh/crypt_1024rsa.pub"\r
+/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed\r
+/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys\r
+\rroot@crypt-arbeit8's password: \r
+\r
+Number of key(s) added: 1\r
+\r
+Now try logging into the machine, with: "ssh 'root@crypt-arbeit8'"\r
+and check to make sure that only the key(s) you wanted were added.\r
+\r
+\e[?2004h\e]0;sibille@Libelle: ~\a\e[01;32msibille@Libelle\e[00m:\e[01;34m~\e[00m$ ssh-copy-id -i ~/.ssh/crypt_1024rsa.pub root@crypt-arbeit8\b\e[K9\r
+\e[?2004l\r/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/sibille/.ssh/crypt_1024rsa.pub"\r
+/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed\r
+/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys\r
+\rroot@crypt-arbeit9's password: \r
+Permission denied, please try again.\r\r
+\rroot@crypt-arbeit9's password: \r
+\r
+Number of key(s) added: 1\r
+\r
+Now try logging into the machine, with: "ssh 'root@crypt-arbeit9'"\r
+and check to make sure that only the key(s) you wanted were added.\r
+\r
+\e[?2004h\e]0;sibille@Libelle: ~\a\e[01;32msibille@Libelle\e[00m:\e[01;34m~\e[00m$ ssh root@crypt-arbeit8\r
+\e[?2004l\r\rroot@crypt-arbeit8's password: \r
+Last login: Sun Nov 5 10:45:31 2023 from 192.168.2.14\r\r
+\e]0;root@crypt-arbeit8:~\a[root@crypt-arbeit8 ~]# cat /etc/os-release \r
+NAME="AlmaLinux"\r
+VERSION="8.8 (Sapphire Caracal)"\r
+ID="almalinux"\r
+ID_LIKE="rhel centos fedora"\r
+VERSION_ID="8.8"\r
+PLATFORM_ID="platform:el8"\r
+PRETTY_NAME="AlmaLinux 8.8 (Sapphire Caracal)"\r
+ANSI_COLOR="0;34"\r
+LOGO="fedora-logo-icon"\r
+CPE_NAME="cpe:/o:almalinux:almalinux:8::baseos"\r
+HOME_URL="https://almalinux.org/"\r
+DOCUMENTATION_URL="https://wiki.almalinux.org/"\r
+BUG_REPORT_URL="https://bugs.almalinux.org/"\r
+\r
+ALMALINUX_MANTISBT_PROJECT="AlmaLinux-8"\r
+ALMALINUX_MANTISBT_PROJECT_VERSION="8.8"\r
+REDHAT_SUPPORT_PRODUCT="AlmaLinux"\r
+REDHAT_SUPPORT_PRODUCT_VERSION="8.8"\r
+\e]0;root@crypt-arbeit8:~\a[root@crypt-arbeit8 ~]# syst\b\e[K\b\e[K\b\e[K\b\e[K\a\a\aupda\ate-crypto-policies --show\r
+FUTURE\r
+\e]0;root@crypt-arbeit8:~\a[root@crypt-arbeit8 ~]# update-crypto-policies --show\b\e[K\b\e[K\b\e[Ket DEFAULT\r
+Setting system policy to DEFAULT\r
+Note: System-wide crypto policies are applied on application start-up.\r
+It is recommended to restart the system for the change of policies\r
+to fully take place.\r
+\e]0;root@crypt-arbeit8:~\a[root@crypt-arbeit8 ~]# reboot\r
+Connection to crypt-arbeit8 closed by remote host.\r\r
+Connection to crypt-arbeit8 closed.\r\r
+\e[?2004h\e]0;sibille@Libelle: ~\a\e[01;32msibille@Libelle\e[00m:\e[01;34m~\e[00m$ ssh root@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[1Pcrypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[1Pcrypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[1Pcrypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[1Pcrypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[1Pcrypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[1Pcrypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[1Pcrypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[1Pcrypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[1Pcrypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\a\a\a\a\apcrypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\bicrypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\bncrypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\bgcrypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\r
+\e[?2004l\rPING crypt-arbeit8.lan (192.168.2.38) 56(84) bytes of data.\r
+64 bytes from 192.168.2.38 (192.168.2.38): icmp_seq=8 ttl=64 time=2.49 ms\r
+^C\r
+--- crypt-arbeit8.lan ping statistics ---\r
+8 packets transmitted, 1 received, 87.5% packet loss, time 7149ms\r
+rtt min/avg/max/mdev = 2.490/2.490/2.490/0.000 ms\r
+\e[?2004h\e]0;sibille@Libelle: ~\a\e[01;32msibille@Libelle\e[00m:\e[01;34m~\e[00m$ ping crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\bssh root@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b-root@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\biroot@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b root@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b~root@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b/root@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b.root@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\bsroot@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\bsroot@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\bh/root@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\bcroot@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[Croot@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\ayptroot@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b_root@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b1root@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\a024root@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[Croot@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\bsaroot@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b root@crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\r
+\e[?2004l\rLast login: Sun Nov 5 10:48:31 2023 from 192.168.2.14\r\r
+\e]0;root@crypt-arbeit8:~\a[root@crypt-arbeit8 ~]# exit\r
+logout\r
+Connection to crypt-arbeit8 closed.\r\r
+\e[?2004h\e]0;sibille@Libelle: ~\a\e[01;32msibille@Libelle\e[00m:\e[01;34m~\e[00m$ ssh -i ~/.ssh/crypt_1024rsa root@crypt-arbeit8 -v\r
+\e[?2004l\rOpenSSH_8.4p1 Debian-5+deb11u2, OpenSSL 1.1.1w 11 Sep 2023\r\r
+debug1: Reading configuration data /home/sibille/.ssh/config\r\r
+debug1: Reading configuration data /etc/ssh/ssh_config\r\r
+debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files\r\r
+debug1: /etc/ssh/ssh_config line 21: Applying options for *\r\r
+debug1: Connecting to crypt-arbeit8 [192.168.2.38] port 22.\r\r
+debug1: Connection established.\r\r
+debug1: identity file /home/sibille/.ssh/crypt_1024rsa type 0\r\r
+debug1: identity file /home/sibille/.ssh/crypt_1024rsa-cert type -1\r\r
+debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u2\r\r
+debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0\r\r
+debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000\r\r
+debug1: Authenticating to crypt-arbeit8:22 as 'root'\r\r
+debug1: SSH2_MSG_KEXINIT sent\r\r
+debug1: SSH2_MSG_KEXINIT received\r\r
+debug1: kex: algorithm: curve25519-sha256\r\r
+debug1: kex: host key algorithm: ecdsa-sha2-nistp256\r\r
+debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none\r\r
+debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none\r\r
+debug1: expecting SSH2_MSG_KEX_ECDH_REPLY\r\r
+debug1: Server host key: ecdsa-sha2-nistp256 SHA256:WTB/KjAiMUe/RHDAvtFkujZ2O3+4UXjHTB0vb4bZAWg\r\r
+debug1: Host 'crypt-arbeit8' is known and matches the ECDSA host key.\r\r
+debug1: Found key in /home/sibille/.ssh/known_hosts:57\r\r
+debug1: rekey out after 134217728 blocks\r\r
+debug1: SSH2_MSG_NEWKEYS sent\r\r
+debug1: expecting SSH2_MSG_NEWKEYS\r\r
+debug1: SSH2_MSG_NEWKEYS received\r\r
+debug1: rekey in after 134217728 blocks\r\r
+debug1: Will attempt key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit\r\r
+debug1: SSH2_MSG_EXT_INFO received\r\r
+debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>\r\r
+debug1: SSH2_MSG_SERVICE_ACCEPT received\r\r
+debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password\r\r
+debug1: Next authentication method: gssapi-with-mic\r\r
+debug1: Unspecified GSS failure. Minor code may provide more information\r
+No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)\r
+\r
+\r\r
+debug1: Unspecified GSS failure. Minor code may provide more information\r
+No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)\r
+\r
+\r\r
+debug1: Next authentication method: publickey\r\r
+debug1: Offering public key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit\r\r
+debug1: Server accepts key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit\r\r
+debug1: Authentication succeeded (publickey).\r\r
+Authenticated to crypt-arbeit8 ([192.168.2.38]:22).\r\r
+debug1: channel 0: new [client-session]\r\r
+debug1: Requesting no-more-sessions@openssh.com\r\r
+debug1: Entering interactive session.\r\r
+debug1: pledge: network\r\r
+debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0\r
+debug1: Remote: /root/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding\r
+debug1: Remote: /root/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding\r
+debug1: Sending environment.\r
+debug1: Sending env LANG = de_DE.UTF-8\r
+Last login: Sun Nov 5 10:49:47 2023 from 192.168.2.14\r\r
+\e]0;root@crypt-arbeit8:~\a[root@crypt-arbeit8 ~]# exit\b\b\b\breboot\b\b\b\b\b\bupdate-crypto-policies --set DEFAULT\b\b\b\b\b\b\b\b\b\bhow\e[K\r
+DEFAULT\r
+\e]0;root@crypt-arbeit8:~\a[root@crypt-arbeit8 ~]# man cry\apto-policies\r
+man: can't set the locale; make sure $LC_* and $LANG are correct\r
+\e[?1049h\e[22;0;0t\e[?1h\e=\rCRYPTO-POLICIES(7) CRYPTO-POLICIES(7)\e[m\r
+\e[m\r
+\e[1mNAME\e[0m\e[m\r
+ crypto-policies - system-wide crypto policies overview\e[m\r
+\e[m\r
+\e[1mDESCRIPTION\e[0m\e[m\r
+ The security of cryptographic components of the operating system does not remain constant over time. Algorithms, such as cryptographic hashing and encryption, typically have a lifetime, after which they are considered either\e[m\r
+ too risky to use or plain insecure. That means, we need to phase out such algorithms from the default settings or completely disable them if they could cause an irreparable problem.\e[m\r
+\e[m\r
+ While in the past the algorithms were not disabled in a consistent way and different applications applied different policies, the system-wide crypto-policies followed by the crypto core components allow consistently\e[m\r
+ deprecating and disabling algorithms system-wide.\e[m\r
+\e[m\r
+ Several preconfigured policies (\e[1mDEFAULT\e[22m, \e[1mLEGACY\e[22m, \e[1mFUTURE\e[22m, and \e[1mFIPS\e[22m) and subpolicies are included in the \e[1mcrypto-policies(7) \e[22mpackage. System administrators or third-party vendors can define custom policies.\e[m\r
+\e[m\r
+ For rationale, see \e[1mRFC 7457 \e[22mfor a list of attacks taking advantage of legacy crypto algorithms.\e[m\r
+\e[m\r
+\e[1mCOVERED APPLICATIONS\e[0m\e[m\r
+ Crypto-policies apply to the configuration of the core cryptographic subsystems, covering \e[1mTLS\e[22m, \e[1mIKE\e[22m, \e[1mIPSec\e[22m, \e[1mDNSSec\e[22m, and \e[1mKerberos \e[22mprotocols; i.e., the supported secure communications protocols on the base operating system.\e[m\r
+\e[m\r
+ Once an application runs in the operating system, it follows the default or selected policy and refuses to fall back to algorithms and protocols not within the policy, unless the user has explicitly requested the application\e[m\r
+ to do so. That is, the policy applies to the default behavior of applications when running with the system-provided configuration but the user can override it on an application-specific basis.\e[m\r
+\e[m\r
+ The policies currently provide settings for these applications and libraries:\e[m\r
+\e[m\r
+ o \e[1mBIND \e[22mDNS name server daemon (scopes: \e[1mBIND\e[22m, \e[1mDNSSec\e[22m)\e[m\r
+\e[m\r
+ o \e[1mGnuTLS \e[22mTLS library (scopes: \e[1mGnuTLS\e[22m, \e[1mSSL\e[22m, \e[1mTLS\e[22m)\e[m\r
+\e[m\r
+ o \e[1mOpenJDK \e[22mruntime environment (scopes: \e[1mjava-tls\e[22m, \e[1mSSL\e[22m, \e[1mTLS\e[22m)\e[m\r
+\e[m\r
+ o \e[1mKerberos 5 \e[22mlibrary (scopes: \e[1mkrb5\e[22m, \e[1mKerberos\e[22m)\e[m\r
+\e[m\r
+ o \e[1mLibreswan \e[22mIPsec and IKE protocol implementation (scopes: \e[1mlibreswan\e[22m, \e[1mIPSec\e[22m, \e[1mIKE\e[22m)\e[m\r
+\e[m\r
+ o \e[1mNSS \e[22mTLS library (scopes: \e[1mNSS\e[22m, \e[1mSSL\e[22m, \e[1mTLS\e[22m)\e[m\r
+\e[m\r
+ o \e[1mOpenSSH \e[22mSSH2 protocol implementation (scopes: \e[1mOpenSSH\e[22m, \e[1mSSH\e[22m)\e[m\r
+\e[m\r
+ o \e[1mOpenSSL \e[22mTLS library (scopes: \e[1mOpenSSL\e[22m, \e[1mSSL\e[22m, \e[1mTLS\e[22m)\e[m\r
+\e[m\r
+ o \e[1mlibssh \e[22mSSH2 protocol implementation (scopes: \e[1mlibssh\e[22m, \e[1mSSH\e[22m)\e[m\r
+\e[m\r
+ Applications using the above libraries and tools are covered by the cryptographic policies unless they are explicitly configured otherwise.\e[m\r
+\e[m\r
+\e[1mPROVIDED POLICIES\e[0m\e[m\r
+ \e[1mLEGACY\e[0m\e[m\r
+ This policy ensures maximum compatibility with legacy systems; it is less secure and it includes support for \e[1mTLS 1.0\e[22m, \e[1mTLS 1.1\e[22m, and \e[1mSSH2 \e[22mprotocols or later. The algorithms \e[1mDSA\e[22m, \e[1m3DES\e[22m, and \e[1mRC4 \e[22mare allowed, while \e[1mRSA \e[22mand\e[m\r
+ \e[1mDiffie-Hellman \e[22mparameters are accepted if larger than 1023 bits. This policy provides at least 64-bit security.\e[m\r
+\e[m\r
+ o MACs: all \e[1mHMAC \e[22mwith \e[1mSHA-1 \e[22mor better + all modern MACs (\e[1mPoly1305 \e[22metc.)\e[m\r
+\e[m\r
+ o Curves: all prime >= 255 bits (including Bernstein curves)\e[m\r
+\e[m\r
+ o Signature algorithms: with \e[1mSHA1 \e[22mhash or better (\e[1mDSA \e[22mallowed)\e[m\r
+\e[m\r
+ o \e[1mTLS \e[22mCiphers: all available >= 112-bit key, >= 128-bit block (including \e[1mRC4 \e[22mand \e[1m3DES\e[22m)\e[m\r
+\e[m\r
+ o Non-TLS Ciphers: same as \e[1mTLS \e[22mciphers with added \e[1mCamellia\e[0m\e[m\r
+\e[m\r
+ o Key exchange: \e[1mECDHE\e[22m, \e[1mRSA\e[22m, \e[1mDHE\e[0m\e[m\r
+\e[m\r
+ o \e[1mDH \e[22mparams size: >= 1023\e[m\r
+\e[m\r
+\e[7m Manual page crypto-policies(7) line 1 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o \e[1mRSA \e[22mkeys size: >= 1023\e[m\r
+\e[7m Manual page crypto-policies(7) line 2 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 3 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o \e[1mDSA \e[22mparams size: >= 1023\e[m\r
+\e[7m Manual page crypto-policies(7) line 4 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 5 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o \e[1mTLS \e[22mprotocols: \e[1mTLS \e[22m>= 1.0, \e[1mDTLS \e[22m>= 1.0\e[m\r
+\e[7m Manual page crypto-policies(7) line 6 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 7 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K \e[1mDEFAULT\e[0m\e[m\r
+\e[7m Manual page crypto-policies(7) line 8 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K The \e[1mDEFAULT \e[22mpolicy is a reasonable default policy for today's standards. It allows the \e[1mTLS 1.2 \e[22mand \e[1mTLS 1.3 \e[22mprotocols, as well as \e[1mIKEv2 \e[22mand \e[1mSSH2\e[22m. The \e[1mRSA \e[22mand \e[1mDiffie-Hellman \e[22mparameters are accepted if larger than 2047 bits.\e[m\r
+\e[7m Manual page crypto-policies(7) line 9 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K The level provides at least 112-bit security with the exception of \e[1mSHA-1 \e[22msignatures needed for \e[1mDNSSec \e[22mand other still prevalent legacy use of \e[1mSHA-1 \e[22msignatures.\e[m\r
+\e[7m Manual page crypto-policies(7) line 10 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 11 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o MACs: all \e[1mHMAC \e[22mwith \e[1mSHA-1 \e[22mor better + all modern MACs (\e[1mPoly1305 \e[22metc.)\e[m\r
+\e[7m Manual page crypto-policies(7) line 12 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 13 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o Curves: all prime >= 255 bits (including Bernstein curves)\e[m\r
+\e[7m Manual page crypto-policies(7) line 14 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 15 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o Signature algorithms: with \e[1mSHA-1 \e[22mhash or better (no \e[1mDSA\e[22m)\e[m\r
+\e[7m Manual page crypto-policies(7) line 16 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 17 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o \e[1mTLS \e[22mCiphers: >= 128-bit key, >= 128-bit block (\e[1mAES\e[22m, \e[1mChaCha20\e[22m, including \e[1mAES-CBC\e[22m)\e[m\r
+\e[7m Manual page crypto-policies(7) line 18 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 19 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o non-TLS Ciphers: as \e[1mTLS \e[22mCiphers with added \e[1mCamellia\e[0m\e[m\r
+\e[7m Manual page crypto-policies(7) line 20 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 21 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o key exchange: \e[1mECDHE\e[22m, \e[1mRSA\e[22m, \e[1mDHE \e[22m(no \e[1mDHE-DSS\e[22m)\e[m\r
+\e[7m Manual page crypto-policies(7) line 22 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 23 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o \e[1mDH \e[22mparams size: >= 2048\e[m\r
+\e[7m Manual page crypto-policies(7) line 24 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 25 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o \e[1mRSA \e[22mkeys size: >= 2048\e[m\r
+\e[7m Manual page crypto-policies(7) line 26 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 27 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o \e[1mTLS \e[22mprotocols: \e[1mTLS \e[22m>= 1.2, \e[1mDTLS \e[22m>= 1.2\e[m\r
+\e[7m Manual page crypto-policies(7) line 28 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 29 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K \e[1mFUTURE\e[0m\e[m\r
+\e[7m Manual page crypto-policies(7) line 30 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K A conservative security policy that is believed to withstand any near-term future attacks. This policy does not allow the use of \e[1mSHA-1 \e[22min signature algorithms. The policy also provides some (not complete) preparation for\e[m\r
+\e[7m Manual page crypto-policies(7) line 31 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K post-quantum encryption support in form of 256-bit symmetric encryption requirement. The \e[1mRSA \e[22mand \e[1mDiffie-Hellman \e[22mparameters are accepted if larger than 3071 bits. This policy provides at least 128-bit security.\e[m\r
+\e[7m Manual page crypto-policies(7) line 32 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 33 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o MACs: all \e[1mHMAC \e[22mwith \e[1mSHA-256 \e[22mor better + all modern MACs (\e[1mPoly1305 \e[22metc.)\e[m\r
+\e[7m Manual page crypto-policies(7) line 34 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 35 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o Curves: all prime >= 255 bits (including Bernstein curves)\e[m\r
+\e[7m Manual page crypto-policies(7) line 36 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 37 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o Signature algorithms: with \e[1mSHA-256 \e[22mhash or better (no \e[1mDSA\e[22m)\e[m\r
+\e[7m Manual page crypto-policies(7) line 38 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 39 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o \e[1mTLS \e[22mCiphers: >= 256-bit key, >= 128-bit block, only Authenticated Encryption (AE) ciphers, no \e[1mCBC \e[22mciphers\e[m\r
+\e[7m Manual page crypto-policies(7) line 40 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 41 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o non-TLS Ciphers: same as \e[1mTLS \e[22mciphers with added non AE ciphers, \e[1mCBC \e[22mones enabled only in Kerberos\e[m\r
+\e[7m Manual page crypto-policies(7) line 42 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 43 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o key exchange: \e[1mECDHE\e[22m, \e[1mDHE \e[22m(no \e[1mDHE-DSS\e[22m, no \e[1mRSA\e[22m)\e[m\r
+\e[7m Manual page crypto-policies(7) line 44 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 45 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o \e[1mDH \e[22mparams size: >= 3072\e[m\r
+\e[7m Manual page crypto-policies(7) line 46 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 47 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o \e[1mRSA \e[22mkeys size: >= 3072\e[m\r
+\e[7m Manual page crypto-policies(7) line 48 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 49 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o \e[1mTLS \e[22mprotocols: \e[1mTLS \e[22m>= 1.2, \e[1mDTLS \e[22m>= 1.2\e[m\r
+\e[7m Manual page crypto-policies(7) line 50 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 51 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K \e[1mFIPS\e[0m\e[m\r
+\e[7m Manual page crypto-policies(7) line 52 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K A policy to aid conformance to the \e[1mFIPS 140-2 \e[22mrequirements. This policy is used internally by the \e[1mfips-mode-setup(8) \e[22mtool which can switch the system into the \e[1mFIPS 140-2 \e[22mmode. This policy provides at least 112-bit\e[m\r
+\e[7m Manual page crypto-policies(7) line 53 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K security.\e[m\r
+\e[7m Manual page crypto-policies(7) line 54 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 55 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o MACs: all \e[1mHMAC \e[22mwith \e[1mSHA1 \e[22mor better\e[m\r
+\e[7m Manual page crypto-policies(7) line 56 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 57 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o Curves: all prime >= 256 bits\e[m\r
+\e[7m Manual page crypto-policies(7) line 58 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 59 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K o Signature algorithms: with \e[1mSHA-256 \e[22mhash or better (no \e[1mDSA\e[22m)\e[m\r
+\e[7m Manual page crypto-policies(7) line 60 (press h for help or q to quit)\e[27m\e[K\r\e[K \e[KESC\b\b\bESC\e[KO\bO\e[KB\bB\r\e[K\e[m\r
+\e[7m Manual page crypto-policies(7) line 61 (press h for help or q to quit)\e[27m\e[K\r\e[K\e[?1l\e>\e[?1049l\e[23;0;0t\e]0;root@crypt-arbeit8:~\a[root@crypt-arbeit8 ~]# e\b\e[Kman crypto-policies\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\bupdate-crypto-policies --show\b\e[K\b\e[K\b\e[Ket FURTURE\r
+Unknown policy `FURTURE`: file `FURTURE.pol` not found in (., policies, /etc/crypto-policies/policies, /usr/share/crypto-policies/policies)\r
+\e]0;root@crypt-arbeit8:~\a[root@crypt-arbeit8 ~]# update-crypto-policies --set FURTURE\b\e[K\b\e[K\b\e[K\b\e[K\b\e[KTURE\r
+Setting system policy to FUTURE\r
+Note: System-wide crypto policies are applied on application start-up.\r
+It is recommended to restart the system for the change of policies\r
+to fully take place.\r
+\e]0;root@crypt-arbeit8:~\a[root@crypt-arbeit8 ~]# reboot\r
+debug1: channel 0: free: client-session, nchannels 1\r
+Connection to crypt-arbeit8 closed by remote host.\r\r
+Connection to crypt-arbeit8 closed.\r\r
+Transferred: sent 5788, received 21772 bytes, in 56.9 seconds\r\r
+Bytes per second: sent 101.6, received 382.4\r\r
+debug1: Exit status -1\r\r
+\e[?2004h\e]0;sibille@Libelle: ~\a\e[01;32msibille@Libelle\e[00m:\e[01;34m~\e[00m$ ssh -i ~/.ssh/crypt_1024rsa root@crypt-arbeit8 -v\b\b\b\e[K\r\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[28Pping crypt-arbeit8\r
+\e[?2004l\rPING crypt-arbeit8.lan (192.168.2.38) 56(84) bytes of data.\r
+64 bytes from 192.168.2.38 (192.168.2.38): icmp_seq=9 ttl=64 time=2.38 ms\r
+64 bytes from 192.168.2.38 (192.168.2.38): icmp_seq=10 ttl=64 time=1.60 ms\r
+^C\r
+--- crypt-arbeit8.lan ping statistics ---\r
+10 packets transmitted, 2 received, 80% packet loss, time 9172ms\r
+rtt min/avg/max/mdev = 1.598/1.991/2.384/0.393 ms\r
+\e[?2004h\e]0;sibille@Libelle: ~\a\e[01;32msibille@Libelle\e[00m:\e[01;34m~\e[00m$ ping crypt-arbeit8\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\bssh -i ~/.ssh/crypt_1024rsa root@crypt-arbeit8 -v\r
+\e[?2004l\rOpenSSH_8.4p1 Debian-5+deb11u2, OpenSSL 1.1.1w 11 Sep 2023\r\r
+debug1: Reading configuration data /home/sibille/.ssh/config\r\r
+debug1: Reading configuration data /etc/ssh/ssh_config\r\r
+debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files\r\r
+debug1: /etc/ssh/ssh_config line 21: Applying options for *\r\r
+debug1: Connecting to crypt-arbeit8 [192.168.2.38] port 22.\r\r
+debug1: Connection established.\r\r
+debug1: identity file /home/sibille/.ssh/crypt_1024rsa type 0\r\r
+debug1: identity file /home/sibille/.ssh/crypt_1024rsa-cert type -1\r\r
+debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u2\r\r
+debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0\r\r
+debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000\r\r
+debug1: Authenticating to crypt-arbeit8:22 as 'root'\r\r
+debug1: SSH2_MSG_KEXINIT sent\r\r
+debug1: SSH2_MSG_KEXINIT received\r\r
+debug1: kex: algorithm: curve25519-sha256\r\r
+debug1: kex: host key algorithm: ecdsa-sha2-nistp256\r\r
+debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none\r\r
+debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none\r\r
+debug1: expecting SSH2_MSG_KEX_ECDH_REPLY\r\r
+debug1: Server host key: ecdsa-sha2-nistp256 SHA256:WTB/KjAiMUe/RHDAvtFkujZ2O3+4UXjHTB0vb4bZAWg\r\r
+debug1: Host 'crypt-arbeit8' is known and matches the ECDSA host key.\r\r
+debug1: Found key in /home/sibille/.ssh/known_hosts:57\r\r
+debug1: rekey out after 134217728 blocks\r\r
+debug1: SSH2_MSG_NEWKEYS sent\r\r
+debug1: expecting SSH2_MSG_NEWKEYS\r\r
+debug1: SSH2_MSG_NEWKEYS received\r\r
+debug1: rekey in after 134217728 blocks\r\r
+debug1: Will attempt key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit\r\r
+debug1: SSH2_MSG_EXT_INFO received\r\r
+debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>\r\r
+debug1: SSH2_MSG_SERVICE_ACCEPT received\r\r
+debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password\r\r
+debug1: Next authentication method: gssapi-with-mic\r\r
+debug1: Unspecified GSS failure. Minor code may provide more information\r
+No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)\r
+\r
+\r\r
+debug1: Unspecified GSS failure. Minor code may provide more information\r
+No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)\r
+\r
+\r\r
+debug1: Next authentication method: publickey\r\r
+debug1: Offering public key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit\r\r
+debug1: Server accepts key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit\r\r
+debug1: Authentication succeeded (publickey).\r\r
+Authenticated to crypt-arbeit8 ([192.168.2.38]:22).\r\r
+debug1: channel 0: new [client-session]\r\r
+debug1: Requesting no-more-sessions@openssh.com\r\r
+debug1: Entering interactive session.\r\r
+debug1: pledge: network\r\r
+debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0\r
+debug1: Remote: /root/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding\r
+debug1: Remote: /root/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding\r
+debug1: Sending environment.\r
+debug1: Sending env LANG = de_DE.UTF-8\r
+Last login: Sun Nov 5 10:49:54 2023 from 192.168.2.14\r\r
+\e]0;root@crypt-arbeit8:~\a[root@crypt-arbeit8 ~]# exit\r
+logout\r
+debug1: client_input_channel_req: channel 0 rtype exit-status reply 0\r
+debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0\r
+debug1: channel 0: free: client-session, nchannels 1\r\r
+Connection to crypt-arbeit8 closed.\r\r
+Transferred: sent 2912, received 2852 bytes, in 5.4 seconds\r\r
+Bytes per second: sent 541.3, received 530.2\r\r
+debug1: Exit status 0\r\r
+\e[?2004h\e]0;sibille@Libelle: ~\a\e[01;32msibille@Libelle\e[00m:\e[01;34m~\e[00m$ ssh -i ~/.ssh/crypt_1024rsa root@crypt-arbeit8 -v\b\b\b\b\e[1P -v\b\b\b9 -v\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[C\e[C\e[C\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\b\e[1P\e[1P\b\b\e[1P\b\e[1P\e[1P\b\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\b\e[K\b\e[K\b\e[K\r
+\e[?2004l\r\rroot@crypt-arbeit9's password: \r
+Last failed login: Sun Nov 5 16:48:07 CET 2023 from 192.168.2.14 on ssh:notty\r
+There was 1 failed login attempt since the last successful login.\r
+Last login: Sun Nov 5 16:44:50 2023 from 192.168.2.14\r\r
+\e]0;root@crypt-arbeit9:~\a\e[?2004h[root@crypt-arbeit9 ~]# up\b\e[K\b\e[Kcat /etc/os-release \r
+\e[?2004l\rNAME="AlmaLinux"\r
+VERSION="9.2 (Turquoise Kodkod)"\r
+ID="almalinux"\r
+ID_LIKE="rhel centos fedora"\r
+VERSION_ID="9.2"\r
+PLATFORM_ID="platform:el9"\r
+PRETTY_NAME="AlmaLinux 9.2 (Turquoise Kodkod)"\r
+ANSI_COLOR="0;34"\r
+LOGO="fedora-logo-icon"\r
+CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos"\r
+HOME_URL="https://almalinux.org/"\r
+DOCUMENTATION_URL="https://wiki.almalinux.org/"\r
+BUG_REPORT_URL="https://bugs.almalinux.org/"\r
+\r
+ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9"\r
+ALMALINUX_MANTISBT_PROJECT_VERSION="9.2"\r
+REDHAT_SUPPORT_PRODUCT="AlmaLinux"\r
+REDHAT_SUPPORT_PRODUCT_VERSION="9.2"\r
+\e]0;root@crypt-arbeit9:~\a\e[?2004h[root@crypt-arbeit9 ~]# updat\ae-crypto-policies --show\r
+\e[?2004l\rFUTURE\r
+\e]0;root@crypt-arbeit9:~\a\e[?2004h[root@crypt-arbeit9 ~]# update-crypto-policies --show\b\e[K\b\e[K\b\e[Ket DEFAULT\r
+\e[?2004l\rSetting system policy to DEFAULT\r
+Note: System-wide crypto policies are applied on application start-up.\r
+It is recommended to restart the system for the change of policies\r
+to fully take place.\r
+\e]0;root@crypt-arbeit9:~\a\e[?2004h[root@crypt-arbeit9 ~]# reboot\r
+\e[?2004l\r\e]0;root@crypt-arbeit9:~\a\e[?2004h[root@crypt-arbeit9 ~]# Connection to crypt-arbeit9 closed by remote host.\r\r
+Connection to crypt-arbeit9 closed.\r\r
+\e[?2004h\e]0;sibille@Libelle: ~\a\e[01;32msibille@Libelle\e[00m:\e[01;34m~\e[00m$ ssh root@crypt-arbeit9\r\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[C\e[1P\b\e[1P\e[1P root@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[1Proot@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[1Poot@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[C\e[1Pt@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[1Pt@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[1P@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[1Pcrypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\bpcrypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\bicrypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\bncrypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\bgcrypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\r
+\e[?2004l\rPING crypt-arbeit9.lan (192.168.2.107) 56(84) bytes of data.\r
+64 bytes from 192.168.2.107 (192.168.2.107): icmp_seq=10 ttl=64 time=2.80 ms\r
+^C\r
+--- crypt-arbeit9.lan ping statistics ---\r
+10 packets transmitted, 1 received, 90% packet loss, time 9219ms\r
+rtt min/avg/max/mdev = 2.803/2.803/2.803/0.000 ms\r
+\e[?2004h\e]0;sibille@Libelle: ~\a\e[01;32msibille@Libelle\e[00m:\e[01;34m~\e[00m$ ping crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\bssh root@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b-root@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\biroot@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b root@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b~root@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b/root@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b.root@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\bsroot@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\bsroot@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\bhroot@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b/root@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\bcroot@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[Croot@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\ayptroot@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b_root@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[Croot@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\a\e[1Poot@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b1root@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\a024root@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\e[Croot@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\bsaroot@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b root@crypt-arbeit9\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\r
+\e[?2004l\r\rroot@crypt-arbeit9's password: \r
+\r
+\e[?2004h\e]0;sibille@Libelle: ~\a\e[01;32msibille@Libelle\e[00m:\e[01;34m~\e[00m$ ssh -i ~/.ssh/crypt_1024rsa root@crypt-arbeit9 -v\r
+\e[?2004l\rOpenSSH_8.4p1 Debian-5+deb11u2, OpenSSL 1.1.1w 11 Sep 2023\r\r
+debug1: Reading configuration data /home/sibille/.ssh/config\r\r
+debug1: Reading configuration data /etc/ssh/ssh_config\r\r
+debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files\r\r
+debug1: /etc/ssh/ssh_config line 21: Applying options for *\r\r
+debug1: Connecting to crypt-arbeit9 [192.168.2.107] port 22.\r\r
+debug1: Connection established.\r\r
+debug1: identity file /home/sibille/.ssh/crypt_1024rsa type 0\r\r
+debug1: identity file /home/sibille/.ssh/crypt_1024rsa-cert type -1\r\r
+debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u2\r\r
+debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7\r\r
+debug1: match: OpenSSH_8.7 pat OpenSSH* compat 0x04000000\r\r
+debug1: Authenticating to crypt-arbeit9:22 as 'root'\r\r
+debug1: SSH2_MSG_KEXINIT sent\r\r
+debug1: SSH2_MSG_KEXINIT received\r\r
+debug1: kex: algorithm: curve25519-sha256\r\r
+debug1: kex: host key algorithm: ecdsa-sha2-nistp256\r\r
+debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none\r\r
+debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none\r\r
+debug1: expecting SSH2_MSG_KEX_ECDH_REPLY\r\r
+debug1: Server host key: ecdsa-sha2-nistp256 SHA256:mIpHNA796VvtdG0w2bBY26niQhrGjhF+ahH2nckoI1M\r\r
+debug1: Host 'crypt-arbeit9' is known and matches the ECDSA host key.\r\r
+debug1: Found key in /home/sibille/.ssh/known_hosts:58\r\r
+debug1: rekey out after 134217728 blocks\r\r
+debug1: SSH2_MSG_NEWKEYS sent\r\r
+debug1: expecting SSH2_MSG_NEWKEYS\r\r
+debug1: SSH2_MSG_NEWKEYS received\r\r
+debug1: rekey in after 134217728 blocks\r\r
+debug1: Will attempt key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit\r\r
+debug1: SSH2_MSG_EXT_INFO received\r\r
+debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>\r\r
+debug1: SSH2_MSG_SERVICE_ACCEPT received\r\r
+debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password\r\r
+debug1: Next authentication method: gssapi-with-mic\r\r
+debug1: Unspecified GSS failure. Minor code may provide more information\r
+No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)\r
+\r
+\r\r
+debug1: Unspecified GSS failure. Minor code may provide more information\r
+No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)\r
+\r
+\r\r
+debug1: Next authentication method: publickey\r\r
+debug1: Offering public key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit\r\r
+debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password\r\r
+debug1: Next authentication method: password\r\r
+\rroot@crypt-arbeit9's password: \r
+\r
+\e[?2004h\e]0;sibille@Libelle: ~\a\e[01;32msibille@Libelle\e[00m:\e[01;34m~\e[00m$ exit\r
+\e[?2004l\rexit\r
+
+Script done on 2023-11-05 15:53:03+00:00 [COMMAND_EXIT_CODE="130"]
projects / susannes-git / Crypto-Policy-Vortrag.git / commitdiff