[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ssh_options_parse_config by default
[Thread Prev] | [Thread Next]
- Subject: ssh_options_parse_config by default
- From: Nikos Mavrogiannopoulos <nmav@xxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Tue, 03 Jul 2018 07:40:27 +0200
- To: libssh@xxxxxxxxxx
Hi, In the context Fedora we are looking at various ways for applications to get a reasonable and adjustable default policy for crypto ciphers and parameters. Our goal is to be able to disable ciphers system-wide when necessary, without going through all possible applications. So far we have succeeded with the TLS libs, though with different approaches. With openssl and gnutls we apply a default config to all applications, unless the applications explicitly override that. Now getting on libssh, what would be the best way to achieve the same thing? libssh provides ssh_options_parse_config() [0] but applications are expected to call it explicitly, meaning that we cannot assume that all apps follow the system's global config (/etc/ssh/ssh_config). Furthermore, on server side, libssh doesn't provide something equivalent. Would it make sense for libssh to apply some global configuration about enabled ciphers (e.g., from /etc/) unconditionally on server or client side? Would such a feature be acceptable? regards, Nikos [0]. http://api.libssh.org/master/group__libssh__session.html#ga82371e723260c7572ea061edecc2e9f1
| Re: ssh_options_parse_config by default | Andreas Schneider <asn@xxxxxxxxxxxxxx> |