Skip to content

Revert RL9 crypto policy to DEFAULT#2084

Open
priteau wants to merge 1 commit intostackhpc/2025.1from
rhel9cis-crypto-policy
Open

Revert RL9 crypto policy to DEFAULT#2084
priteau wants to merge 1 commit intostackhpc/2025.1from
rhel9cis-crypto-policy

Conversation

@priteau
Copy link
Member

@priteau priteau commented Jan 13, 2026

This should resolve SSH issues with some modern key types such as ed25519.

@priteau priteau self-assigned this Jan 13, 2026
@priteau priteau requested a review from a team as a code owner January 13, 2026 22:51
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly reverts the RHEL 9 crypto policy from FIPS to DEFAULT to allow the use of modern SSH key types like ed25519. The change is well-documented with a new comment and a release note.

However, for this change to be fully effective, a related modification is required in a file not included in this PR's changes. The file etc/kayobe/ansible/maintenance/cis.yml contains an Ansible assertion that explicitly blocks the use of ed25519 keys on Red Hat systems. This assertion was relevant for the FIPS policy but now contradicts the goal of this PR. It should be removed to prevent failures for users who wish to use ed25519 keys.

I've also added one suggestion to improve the clarity of comments in the configuration file.

mnasiadka
mnasiadka previously approved these changes Jan 14, 2026
View reviewed changes
@priteau
Revert RL9 crypto policy to DEFAULT
8516ab3 
This should resolve SSH issues with some modern key types such as
ed25519.
@priteau priteau force-pushed the rhel9cis-crypto-policy branch from 77eb16d to 8516ab3 Compare January 14, 2026 09:00
@priteau priteau requested a review from mnasiadka January 14, 2026 09:00
Alex-Welsh
Alex-Welsh requested changes Jan 21, 2026
View reviewed changes
Copy link
Member

@Alex-Welsh Alex-Welsh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@priteau can we close in favor of #2085?

@priteau
Copy link
Member Author

priteau commented Jan 21, 2026

@priteau can we close in favor of #2085?

#2085 only applies to CI. There was also a recent discussion about relaxing the RL9 crypto policy so that we could use all types of SSH keys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Alex-Welsh Alex-Welsh Alex-Welsh requested changes

@mnasiadka mnasiadka Awaiting requested review from mnasiadka

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

@priteau priteau

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@priteau @mnasiadka @Alex-Welsh