* Sat Mar 22 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme

- insecure cipher and MAC removed [SME: 12968]

root/etc/e-smith/templates/etc/ssh/sshd_config/29HostKeyAlgorithms

@@ -0,0 +1 @@
+HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

root/etc/e-smith/templates/etc/ssh/sshd_config/30KexAlgorithms

@@ -1 +1 @@
-KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

root/etc/e-smith/templates/etc/ssh/sshd_config/33MACs

@@ -1 +1 @@
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

root/usr/lib/systemd/system/sshd.service.d/50-koozali.conf

@@ -1,4 +1,8 @@
 [Service]
+# could introduce security issues
+# EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
+EnvironmentFile=
+EnvironmentFile=-/etc/sysconfig/sshd
 ExecStartPre=/sbin/e-smith/service-status sshd
 ExecStartPre=/sbin/e-smith/systemd/sshd-prepare
 ExecStartPre=-/sbin/e-smith/expand-template /etc/ssh/sshd_config