Bug 1264651

Summary: weak ciphers should be disabled in rhnmd config to comply with security audits
Product: Red Hat Satellite 5 Reporter: Jan Hutař <jhutar>
Component: MonitoringAssignee: Grant Gainey <ggainey>
Status: CLOSED WONTFIX QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 570CC: dyordano, tlestach
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-28 18:21:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Hutař 2015-09-19 21:46:34 UTC 
Description of problem:
rhnmd should not allow MD5 and 96-bit MAC algorithms to comply with some security audits. For more info on sshd security hardening, please see:

https://access.redhat.com/solutions/420283


Version-Release number of selected component (if applicable):
rhnmd-5.3.18-2.el6sat.noarch
(possibly on RHEL5 and RHEL7 as well)


How reproducible:
always


Steps to Reproduce:
1. Setup Satellite 5.7.0 with monitoring and one client
2. Prepare "Linux: Load" probe (which is using rhnmd daemon)
3. Add these two lines ("Ciphers ..." and "MACs ...") mentioned in
   the KB article to the rhnmd_config on the client
4. Notice rhnmd is allowing weak ciphers (using "Diagnostic Steps" from
   the KB article - run these from satellite server and you should get
   the shell on the client):
   # ssh -vv -i /var/lib/nocpulse/.ssh/nocpulse-identity \
     -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc nocpulse@<client> -p 4545
   # ssh -vv -i /var/lib/nocpulse/.ssh/nocpulse-identity \
     -oMACs=hmac-md5 nocpulse@<client> -p 4545
5. Restart rhnmd on the client
6. Ensure the probe is still working
7. Ensure you do not get remote shell when you re-run commands from step "4."


Actual results:
It still works even with these weak ciphers disabled


Expected results:
These weak ciphers should be disabled by dafault


Additional info:
Originally reported via SFDC 01506231
Comment 1 Grant Gainey 2017-04-28 18:21:46 UTC 
Monitoring has a number of issues, and is being removed in the upcoming SATELLITE-5.8 release. Closing, WONTFIX