Bug 1442083

Summary: Delayed name resolving fails when fips is enabled
Product: Red Hat Enterprise Linux 7 Reporter: Miroslav Lichvar <mlichvar>
Component: ntpAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED ERRATA QA Contact: Andrej Dzilský <adzilsky>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: adzilsky, avaddara, ffotorel, mdshaikh, psklenar
Target Milestone: rc   
Target Release: 7.5   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ntp-4.2.6p5-28.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 15:25:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Use SHA1 request key by default to fix delayed name resolving in FIPS mode none

Description Miroslav Lichvar 2017-04-13 13:24:25 UTC 
Description of problem:
When the FIPS mode was enabled and hostnames specified in ntp.conf couldn't be resolved on start, the resolving process of ntpd is not be able to configure the main process later and it won't be using the servers for synchronization.

The problem is that ntpd uses a random MD5 key when no request key was specified in the config and MD5 is not allowed in the FIPS mode.

Version-Release number of selected component (if applicable):
ntp-4.2.6p5-25.el7_3.1.x86_64

How reproducible:
Most of the time

Steps to Reproduce:
1. enable FIPS mode
2. disable chronyd service, enable ntpd service
3. reboot

Actual results:
The "ntpq -pn" command reports that no NTP servers are used and the system log contains an "ntpd_intres[729]: MAC encrypt: digest init failed" error message.

Expected results:
ntpq -pn lists all servers specified in ntp.conf.

Additional info:
Comment 1 Miroslav Lichvar 2017-04-13 13:54:40 UTC 
Created attachment 1271436 [details]
Use SHA1 request key by default to fix delayed name resolving in FIPS mode

With this patch ntpd will use by default a random SHA1 key instead of an MD5 key, which is still allowed in the FIPS mode.
Comment 5 Andrej Dzilský 2017-10-17 15:15:36 UTC 
Verified. Fixed.
Comment 8 errata-xmlrpc 2018-04-10 15:25:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0855