Revert RL9 crypto policy to DEFAULT

priteau · priteau · commit 8516ab31e937 · 2026-01-14T09:59:00.000+01:00
This should resolve SSH issues with some modern key types such as
ed25519.
diff --git a/etc/kayobe/ansible/maintenance/cis.yml b/etc/kayobe/ansible/maintenance/cis.yml
@@ -12,7 +12,7 @@
         that:
           - ssh_key_type != 'ed25519'
         fail_msg: FIPS policy does not currently support ed25519 SSH keys on RHEL family systems
-      when: ansible_facts.os_family == 'RedHat'
+      when: ansible_facts.os_family == 'RedHat' and rhel9cis_crypto_policy == 'FIPS'
 
     - name: Ensure the cron package is installed on ubuntu
       ansible.builtin.package:
diff --git a/etc/kayobe/inventory/group_vars/cis-hardening/cis b/etc/kayobe/inventory/group_vars/cis-hardening/cis
@@ -26,8 +26,9 @@ rhel9cis_rule_3_4_1_2: false
 # Don't configure selinux
 rhel9cis_selinux_disable: true
 
-# NOTE: FUTURE breaks wazuh agent repo metadata download
-rhel9cis_crypto_policy: FIPS
+# NOTE: Using DEFAULT crypto policy. FIPS breaks ed25519 SSH keys, and FUTURE
+# breaks wazuh agent repo metadata download.
+rhel9cis_crypto_policy: DEFAULT
 
 # Skip package updates
 rhel9cis_rule_1_9: false
diff --git a/releasenotes/notes/rhel9cis-crypto-policy-default-2de03e6a67a9efae.yaml b/releasenotes/notes/rhel9cis-crypto-policy-default-2de03e6a67a9efae.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Updates the default CIS hardening configuration to set
+    ``rhel9cis_crypto_policy`` to ``DEFAULT`` instead of ``FIPS``. This
+    resolves SSH issues with some modern key types such as ``ed25519``.
