Bug 1016117

Summary: FIPS breaks SSH and telnet access to/from RHEL6.5-Beta system
Product: Red Hat Enterprise Linux 6 Reporter: Charlotte Richardson <charlotte.richardson>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.5CC: david.bulkow, kevin.paetzold, wgomerin
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: RHEL6.5-Snap1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-16 14:26:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Charlotte Richardson 2013-10-07 14:37:50 UTC 
Description of problem:
Both telnet and SSH access to/from a newly-IPLed RHEL6.5-beta system work initially, but stop working at some point, generating FIPS errors. Not seen in RHEL6.5-Alpha. The following procedure fixes the issue, at least temporarily:
fipshmac /usr/sbin/sshd
fipshmac /lib64/libfipscheck.so.1
/etc/init.d/sshd restart


Version-Release number of selected component (if applicable):
RHEL6.5-Beta


How reproducible:
Unsure how to reproduce it on demand, but it has appeared several times in our testing of RHEL6.5-Beta. Every system under test has experienced this.


Steps to Reproduce:
Unknown. IPL the system and use it for a while, and it will happen.
1.
2.
3.

Actual results:
SSH and telnet will start generating FIPS errors to the outside and access inbound will become blocked.


Expected results:
SSH and telnet shoudl continue to work normally.


Additional info:
Comment 3 Tomas Mraz 2013-10-09 06:36:06 UTC 
This should be fixed in the latest openssl and openssh packages.
(openssl-1.0.1e-15.el6, openssh-5.3p1-94.el6)

Can you update them and retest?

Also do you have dracut-fips package installed? You should not unless you want to run the system in the FIPS mode.
Comment 4 Charlotte Richardson 2013-10-15 19:07:58 UTC 
This appears to only happen in RHEL6.5-Beta. We have not seen it in RHEL6.5-Snap1 or RHEL6.5-Snap2, and it did not happen under 6.5-Alpha.

(The dracut-fips package is being installed, though we probably do not actually need for it to be. That doesn't seem to be causing problems when running 6.5-Snap1 or 6.5-Snap2.)

I think you can close this bug since it seems to be fixed now, or maybe mark it as a duplicate of 1010945 if you think it is the same thing. We will reopen it if it comes back.