[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ssh_options_parse_config by default

 In the context Fedora we are looking at various ways for applications
to get a reasonable and adjustable default policy for crypto ciphers
and parameters. Our goal is to be able to disable ciphers system-wide
when necessary, without going through all possible applications. So far
we have succeeded with the TLS libs, though with different approaches.
With openssl and gnutls we apply a default config to all applications,
unless the applications explicitly override that. 

Now getting on libssh, what would be the best way to achieve the same
thing? libssh provides ssh_options_parse_config() [0] but applications
are expected to call it explicitly, meaning that we cannot assume that
all apps follow the system's global config (/etc/ssh/ssh_config).
Furthermore, on server side, libssh doesn't provide something
equivalent. Would it make sense for libssh to apply some global
configuration about enabled ciphers (e.g., from /etc/) unconditionally
on server or client side? Would such a feature be acceptable?



Re: ssh_options_parse_config by defaultAndreas Schneider <asn@xxxxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org