SUSE Support

Here When You Need Us

Openssh: new cryptology configuration in v9.6p1, part of SLES 15 SP6

This document (000021819) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP6


Situation

SLES 15 SP6 has introduced a newer openssh package, based on upstream openssh package 9.6p1.

One of the new features provided in this version is that the cryptology used within openssh is now intended to be governed by the crypto-policies package and methods.  This carries with it several implications.  See the "Resolution" section for a more information on those implications.

Resolution

Implications of this new feature include:

Settings in /etc/ssh/sshd_config and /etc/ssh/ssh_config which control algorithms such as KexAlgorithm, MACs, and Cipers, might not directly control those lists anymore, in favor of using the crypto-policies configuration.

The crypto policy in place after a SLES 15 SP6 installation will be the "DEFAULT" policy, which (in terms of openssh) is a bit stricter (stronger) than the previous configuration that openssh defaulted to, for it's lists of allowed algorithms.  This is expected.  Any algorithm essentially has a life span.  Over time, some algorithms become weaker in the face of new technology or new discoveries of vulnerabilities, and become deprecated.

The specific lists of algorithms that can be used under this policy, for openssh, are found at:

/etc/crypto-policies/back-ends/

within

opensshserver.config #(for sshd server policies)
openssh.config #(for ssh client policies)

Those files can be edited if further changes to these lists are needed.

NOTE:

If the system was upgraded to SLES 15 SP6, rather than being a new / clean install, then it is possible that some new configuration, needed to enable openssh's use of crypto-policies, may not yet be in place.  Some additional "include" lines are expected within /etc/ssh/sshd_config in order for this to work.  But if there was an existing, older config file in place when the openssh 9.6p1 was installed, those may not have been added yet.  Instead, they would be part of a new example config file installed on the system, at:

/etc/ssh/sshd_config.rpmnew

The installation process does not automatically replace or merge the old and new configuration files, because doing so often requires administrators to review their own customized configuration in the old file, and decide which parts of the new and old files are appropriate to merge together.

The new lines, relative to crypto-policies, which appear in the sshd_config.rpmnew file are:

# To modify the system-wide sshd configuration, create a "*.conf" file under
# "/etc/ssh/sshd_config.d/" which will be automatically included below.
# Don't edit this configuration file itself if possible to avoid update
# problems.
Include /etc/ssh/sshd_config.d/*.conf

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.
Include /usr/etc/ssh/sshd_config.d/*.conf

It is usually sufficient just to add those lines near the beginning of the old configuration file.  A careful comparison of the two files is often helpful.  If changes are made to sshd_config, they can be put into place for subsequent ssh sessions with:

systemctl restart sshd

Additional Information

Other crypto policies might be activated. For example, if the "LEGACY" policy is activated via the "update-crypto-policies" command, then some older / weaker algorithms might also get activated.  Those might be needed for some older ssh clients that might rely on older algorithms.  However, use of legacy algorithms typically carries with it more security risks.

For more information on openssh's use of algorithms and more information about crypto-policies usage, see:

man sshd_config
man crypto-policies
man update-crypto-policies
  # This man page and the "update-crypto-policies" command come from the package "crypto-policies-scripts", which may not already be installed.

Some additional notes can be found, regarding ssh clients whose keys may be too short based on new standards, can be found at:
https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15-SP6/index.html#security

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021819
  • Creation Date: 01-May-2025
  • Modified Date:01-May-2025
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community
tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ
tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center