Closed comps closed 4 weeks ago
Should we add there BLOCKER
label? @comps @Mab879
Bricking ssh isn't great. We should have a solution even if this isn't our fault.
+1 to blocker
Since the OSPP profile is no longer in RHEL 10 the blocker label is not needed.
This was fixed by https://github.com/ComplianceAsCode/content/pull/12369
The issue was that OSPP control file for RHEL10 selected wrong rules and these were preventing SSH access.
Description of problem:
results in a system that boots, but when I try to ssh into it, it seems to fail due to crypto policies:
commenting out the
Include
in/etc/ssh/sshd_config.d/40-redhat-crypto-policies.conf
gets me a working ssh connection.Other profiles (STIG) seem to work after I explicitly started generating RSA keys (RHEL-10 defaults to non-RSA), but that's with the
FIPS
crypto policies. Theospp
profile is special because it (as far as I know) usesFIPS:OSPP
, which might be somehow broken.Or maybe the bug is in how the content uses it. More investigation is likely needed.
SCAP Security Guide Version:
520a19633ce32a75982b16a1af48423c99fe23ce
Additional Information/Debugging Steps:
I'm attaching the only artifact I have - the remediation HTML report. Not sure if it helps anything. remediation.html.gz