Bug 1438414
| Summary: | RHEL7.4 in FIPS mode is unable to ssh into RHEL4.9 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Stancek <jstancek> |
| Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED ERRATA | QA Contact: | Stefan Dordevic <sdordevi> |
| Severity: | unspecified | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | ccheney, franco.dirosa, hkario, jburke, jjelen, nmavrogi, sdordevi, szidek, tmraz |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openssh-7.4p1-3.el7 | Doc Type: | Deprecated Functionality |
| Doc Text: |
This update removes SHA1-based key exchange algorithms from the default list in FIPS mode. They can still be re-enabled using the configuration snippet below:
KexAlgorithms=+diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 18:42:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jan Stancek
2017-04-03 11:48:39 UTC
See also: Bug 1324493 - Update the list of FIPS approved algorithms I'd say this is expected and acceptable. (In reply to Tomas Mraz from comment #3) > I'd say this is expected and acceptable. Well, the main point was that this was working in RHEL7.3 and the change was propagated from the Fedora bug #1324493. The main question is if this is something that FIPS enforces or we should rather aim for compatibility (with RHEL7.3 and also with legacy RHEL4.9). If we hit this issue in our own infrastructure, it is very likely that there will be similar issue and setup somewhere in the wild in customers deployments. Tomas, if you are ok with this change, we will certainly have to make sure it will be documented. The deprecation of SHA1 for FIPS is a known fact, so I think just documenting the change (with the possible workaround by explicitly allowing the SHA1 based DH methods) is sufficient. Sorry for coming up with details gradually (this should have been in the original report). But the problem is that when the cipher is not allowed in the FIPS, there is no workaround. The kex is not known to OpenSSH in FIPS.
By manually selecting the cipher it leads to
"diffie-hellman-group1-sha1" is not allowed in FIPS mode
so from there was the question how is the status of SHA1 in FIPS and what of the options would be acceptable for FIPS:
* Do we want the same behavior as in RHEL7.3: Enabled in default proposal
* Not in default proposal, possible to enable using configuration (preferred)
* Not in default proposal, unable to enable (current behavior of RHEL 7.4 package)
I think the second option is the best. I will restore both the methods that were allowed in RHEL 7.3: diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 They will not be offered by default (not on client nor server), but they can be re-enabled using configuration option such as ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 user@legacyhost or using configuration as described in http://www.openssh.com/legacy.html The diffie-hellman-group-exchange-sha1 was disabled in RHEL7.3 and will stay so. It still fails for me with openssh-7.4p1-3.el7: # ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 user@rhel4 FIPS mode initialized Unable to negotiate with 10.10.10.10 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 # echo $? 255 # cat /proc/sys/crypto/fips_enabled 1 Can you post a debug log from ssh -vvv -oKexAlgorithms=+diffie-hellman-group14-sha1 user@rhel4 # ssh -vvv -oKexAlgorithms=+diffie-hellman-group14-sha1 user@rhel4 OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying options for * FIPS mode initialized debug2: resolving "rhel4" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to rhel4 [10.10.10.10] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1 debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.* compat 0x01000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to rhel4:22 as 'user' debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,,diffie-hellman-group14-sha1,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01,ecdsa-sha2-nistp384-cert-v01,ecdsa-sha2-nistp521-cert-v01,ssh-ed25519-cert-v01,ssh-rsa-cert-v01,ssh-dss-cert-v01,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc.se debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc.se debug2: MACs ctos: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm,hmac-sha2-256-etm,hmac-sha2-512-etm debug2: MACs stoc: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm,hmac-sha2-256-etm,hmac-sha2-512-etm debug2: compression ctos: none,zlib,zlib debug2: compression stoc: none,zlib,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa,ssh-dss debug2: ciphers ctos: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: ciphers stoc: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: MACs ctos: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 debug2: MACs stoc: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 debug2: compression ctos: none,zlib debug2: compression stoc: none,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: (no match) Unable to negotiate with 10.10.10.10 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 I see suspicious comma in the line
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,,diffie-hellman-group14-sha1,ext-info-c
which might cause these problems. I don't see it it non-FIPS mode. As a possible workaround, the following should work:
ssh -vvv -oKexAlgorithms=diffie-hellman-group14-sha1 user@rhel4
I can reproduce the same problem with my machine if I try to pass the bogus comma to the algorithm list
ssh -vvv -oKexAlgorithms=,diffie-hellman-group14-sha1 user@localhost
It is certainly bug in the FIPS offered list. This should not be in the default configuration, but the parser itself should not choke on that (it ends when it does not find the anything in front of comma).
I will respin the package as soon as I will find out how to put it together.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:2029 This errata does not make sense at all. It is in regards to diffie-hellman-group1-sha1 and the discussion is in enabling it but it appears it is disabled in RHEL 7. The text below seems incorrect also which is a post above. It says the diffie-hellman-group-exchange-sha1 will be allowed to be enabled by option but then it says it will be disabled and nothing about DH group1 which was the original question. Jakub Jelen 2017-04-04 14:51:54 UTC I will restore both the methods that were allowed in RHEL 7.3: diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 They will not be offered by default (not on client nor server), but they can be re-enabled using configuration option such as ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 user@legacyhost or using configuration as described in http://www.openssh.com/legacy.html The diffie-hellman-group-exchange-sha1 was disabled in RHEL7.3 and will stay so. (In reply to Franco DiRosa from comment #23) > This errata does not make sense at all. This is not an errata, but a bug closed more than three years ago with couple of comments. If you have a question to errata, please, contact your Red Hat support. > It is in regards to > diffie-hellman-group1-sha1 and the discussion is in enabling it but it > appears it is disabled in RHEL 7. Right. In FIPS mode, it is not available. Outside of FIPS mode it is generally available and there is no need to reenable it > The text below seems incorrect also which > is a post above. It says the diffie-hellman-group-exchange-sha1 will be > allowed to be enabled by option but then it says it will be disabled and > nothing about DH group1 which was the original question. Can you point me to the original question, which references the group1? If you mean the comment #6, it is just an example log. The diffie-hellman-group-exchange-sha1 in the last sentence should have been "diffie-hellman-group1-sha1" and again references only to FIPS. What is important is in the doc text that went to errata is correct: > This update removes SHA1-based key exchange algorithms from the default list in FIPS mode. They can still be re-enabled using the configuration snippet below: > > KexAlgorithms=+diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 |