Bug 1721419

Summary: SSH key cannot be added when FIPS enabled
Product: Red Hat Satellite Reporter: Jan Jansky <jjansky>
Component: Users & RolesAssignee: Leos Stejskal <lstejska>
Status: CLOSED ERRATA QA Contact: Radovan Drazny <rdrazny>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.5.0CC: dcbarr, egolov, inecas, lstejska, mhulan, snemeth
Target Milestone: 6.8.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: foreman-2.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 12:58:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Jansky 2019-06-18 09:16:10 UTC 
Description of problem: When FIPS is enabled and customer will try to add SSH key for user, 500 internal server error appear


Version-Release number of selected component (if applicable):
satellite-6.5.0-11.el7sat.noarch

How reproducible: Always


Steps to Reproduce:
1. Create new user
2. generate new key
3. Edit user -> SSH Keys -> Add SSH Keys
4. Fill new SSH key

Actual results:
500 Internal server error


Expected results:
Key added


Additional info:
Comment 8 Marek Hulan 2019-11-21 11:09:08 UTC 
SSHKey.generate defaults to md5 for fingerprint which is unavailable in FIPS enabled system. We don't use ActiveSupport::Digest.hexdigest for generating the hash for the key, but use SSHKey.generate directly, hence it was missed in FIPS enabling PR. We can use SSHKey.sha1_generate instead to enforce safe hash function.
Comment 9 Leos Stejskal 2020-01-27 11:10:52 UTC 
Created redmine issue https://projects.theforeman.org/issues/28861 from this bug
Comment 10 Bryan Kearney 2020-02-05 11:04:06 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28861 has been resolved.
Comment 11 Radovan Drazny 2020-09-22 11:22:14 UTC 
Tested on Satellite 6.8 Snap 16 using the reproducer from the initial report. SSH key for a new user has been added successfully, the fingerprint generated is SHA256 based and correct. Adding both from WebUI and hammer works.
Comment 14 errata-xmlrpc 2020-10-27 12:58:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366