Skip to content

Revert RL9 crypto policy to DEFAULT#2084

Open
priteau wants to merge 1 commit into
stackhpc/2025.1from
rhel9cis-crypto-policy
Open

Revert RL9 crypto policy to DEFAULT#2084
priteau wants to merge 1 commit into
stackhpc/2025.1from
rhel9cis-crypto-policy

Conversation

@priteau
Copy link
Copy Markdown
Member

@priteau priteau commented Jan 13, 2026

This should resolve SSH issues with some modern key types such as ed25519.

@priteau priteau self-assigned this Jan 13, 2026
@priteau priteau requested a review from a team as a code owner January 13, 2026 22:51
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jan 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly reverts the RHEL 9 crypto policy from FIPS to DEFAULT to allow the use of modern SSH key types like ed25519. The change is well-documented with a new comment and a release note.

However, for this change to be fully effective, a related modification is required in a file not included in this PR's changes. The file etc/kayobe/ansible/maintenance/cis.yml contains an Ansible assertion that explicitly blocks the use of ed25519 keys on Red Hat systems. This assertion was relevant for the FIPS policy but now contradicts the goal of this PR. It should be removed to prevent failures for users who wish to use ed25519 keys.

I've also added one suggestion to improve the clarity of comments in the configuration file.

Comment thread etc/kayobe/inventory/group_vars/cis-hardening/cis Outdated
mnasiadka
mnasiadka previously approved these changes Jan 14, 2026
View reviewed changes
@priteau priteau force-pushed the rhel9cis-crypto-policy branch from 77eb16d to 8516ab3 Compare January 14, 2026 09:00
@priteau priteau requested a review from mnasiadka January 14, 2026 09:00
@priteau @Alex-Welsh
Revert RL9 crypto policy to DEFAULT
b3ed128 
This should resolve SSH issues with some modern key types such as
ed25519.
@Alex-Welsh Alex-Welsh force-pushed the rhel9cis-crypto-policy branch from df59552 to b3ed128 Compare May 22, 2026 15:20
@Alex-Welsh
Copy link
Copy Markdown
Member

Alex-Welsh commented May 22, 2026

To avoid unexpected changed when applying this to customer sites, should we instead bundle it with 2026.1 or RL10?
It seems unnecessary to change it now when we won't be supporting RL9 much longer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Alex-Welsh Alex-Welsh Alex-Welsh requested changes

@mnasiadka mnasiadka Awaiting requested review from mnasiadka

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

@priteau priteau

Labels

waiting-author-response

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@priteau @Alex-Welsh @mnasiadka