Bug 1739176
| Summary: | The xrdp RPM `posttrans` scriptlet fails on FIPS-enabled systems | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Thomas Jones <redhat> |
| Component: | xrdp | Assignee: | Itamar Reis Peixoto <itamar> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | epel7 | CC: | bojan, itamar |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | xrdp-0.9.11-5.fc31 xrdp-0.9.11-5.fc29 xrdp-0.9.11-5.fc30 xrdp-0.9.11-5.el7 xrdp-0.9.11-5.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-02 00:46:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The issue has been reported upstream, so once the upstream fixes this, I will rebuild xrdp. Oh. I'd posted this bug here since the Fedora page directed issue-submissions here. Is there an associated GitHub (et. al.) project for the RPM-based packaging where one can submit PRs to? If so, I'd be happy to submit a PR to address the flaw in the RPM's %post scriptlet. Judging by the discussion upstream, the tool only generates md5 keys. I'll reread that discussion again tomorrow, just to make sure I didn't misunderstand. Right, *Because* the effected protocol is effectively deprecated: 1) They're not going to try to fix the tool (original bug was opened in 2016) 2) The inability to generate the key isn't problematic, all you have to do is ensure a null-file of the expected name is present (i.e., don't worry about the tool, worry about how the RPM attempts to use the problematic tool - either wholly drop the keygen or include logic to ensure the presence of a null-file). Which is to say, my original suggestion in this bug report is "don't try to fix the tool, fix the RPM's %post scriptlet" (and offered one such method for doing so). Right. Sure, we can create an empty file, if that gets things over the hump. Yup. It does. I stood up an XRDP-enabled EC2, yesterday, and validated that everything functioned once the touch-file was in place. Silly question: any chance the RPM could be updated to activate the ms-wbt firewalld service? If so, would that need to be requested by a separate BZ? That sounds like a sysadmin task to me. Adding such firewall rules by an rpm is not something I would feel comfortable forcing on everyone that installs xrdp. No worries. Some RPM packagings are more (potentially) disruptive than others. For example, installing the graphical desktop RPM-group changes the default run level. Awesome. I'll give that a look, Monday, when I get back to the office. FEDORA-2019-997c85bf31 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-997c85bf31 FEDORA-EPEL-2019-6e641aad91 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-6e641aad91 FEDORA-2019-602c4a53d2 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-602c4a53d2 FEDORA-EPEL-2019-625e654909 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-625e654909 xrdp-0.9.11-5.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-22adff3c39 xrdp-0.9.11-5.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-997c85bf31 xrdp-0.9.11-5.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-625e654909 xrdp-0.9.11-5.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-602c4a53d2 xrdp-0.9.11-5.el8 has been pushed to the Fedora EPEL 8 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-6e641aad91 xrdp-0.9.11-5.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. xrdp-0.9.11-5.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. xrdp-0.9.11-5.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. xrdp-0.9.11-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. xrdp-0.9.11-5.el8 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: The xrdp RPM includes a posttrans scriptlet that includes the line: (umask 377; /usr/bin/xrdp-keygen xrdp /etc/xrdp/rsakeys.ini >/dev/null) This fails on FIPS-enabled systems due to xrdp-keygen only supporting use of MD5 keys. Per https://github.com/neutrinolabs/xrdp/issues/1032, the protocol uses TLS for transport and the inability to generate a key isn't specifically problematic: so long as *an* /etc/xrdp/rsakeys.ini file exists - even a null-file - the software should function as intended. That the above snippet results in no /etc/xrdp/rsakeys.ini file being created at all is problematic. Probably better to alter the above to something like: ( install -bDm 000400 /dev/null /etc/xrdp/rsakeys.ini && \ /usr/bin/xrdp-keygen xrdp /etc/xrdp/rsakeys.ini >/dev/null ) This will still result in an error message being printed on FIPS-enabled systems. However, the proposed change should result in the needed /etc/xrdp/rsakeys.ini always being created. Version-Release number of selected component (if applicable): $ rpm -qi xrdp Name : xrdp Epoch : 1 Version : 0.9.10 Release : 1.el7 Architecture: x86_64 Install Date: Thu 08 Aug 2019 03:51:21 PM UTC Group : Unspecified Size : 2191475 License : ASL 2.0 Signature : RSA/SHA256, Fri 03 May 2019 12:03:36 AM UTC, Key ID 6a2faea2352c64e5 Source RPM : xrdp-0.9.10-1.el7.src.rpm Build Date : Thu 02 May 2019 11:38:00 PM UTC Build Host : buildvm-10.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.xrdp.org/ Bug URL : https://bugz.fedoraproject.org/xrdp Summary : Open source remote desktop protocol (RDP) server Description : xrdp provides a fully functional RDP server compatible with a wide range of RDP clients, including FreeRDP and Microsoft RDP client. How reproducible: Steps to Reproduce: 1. Deploy a FIPS-enabled RHEL 7 system 2. Perform a `yum install xrdp` 3. Once RPM-installation reaches the %post script stage, it will: * Print out the error: md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode! /var/tmp/rpm-tmp.Ol7pFk: line 3: 17961 Aborted (core dumped) /usr/bin/xrdp-keygen xrdp /etc/xrdp/rsakeys.ini > /dev/null * Finish the installation having failed to create any /etc/xrdp/rsakeys.ini file Actual results: RPM installs without necessary /etc/xrdp/rsakeys.ini file being created Expected results: RPM installs with necessary /etc/xrdp/rsakeys.ini file being created Additional info: