Bug 1756432
| Summary: | Default client configuration breaks ssh in FIPS mode. | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Simo Sorce <ssorce> | |
| Component: | ipa | Assignee: | Christian Heimes <cheimes> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.1 | CC: | cheimes, jjelen, ksiddiqu, pasik, pcech, rcritten, tscherf, twoerner | |
| Target Milestone: | rc | |||
| Target Release: | 8.2 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.8.2-1.module+el8.2.0+4697+7171660c | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1771356 (view as bug list) | Environment: | ||
| Last Closed: | 2020-04-28 15:43:29 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1760850, 1771356 | |||
|
Description
Simo Sorce
2019-09-27 15:39:39 UTC
I think this part of code was highly inspired by the bug report in Debian [1], which recommends these particular configuration options to be set as a workaround of old openssh versions in the frame between 5.7 and 6.1. Neither of these versions is available in neither of RHELs or Fedora anymore and as described above, they are even harmful since they reduce default security configuration of OpenSSH for all (!) connections in following ways: * ssh-dsa is disabled by default and no scripts should enable it this way. Using 1k DSA keys is purely wrong * ssh-rsa references to legacy RSA with SHA1, which is being slowly deprecated by rsa-sha2-256 and rsa-sha2-512, which are also disabled by your configuration * there are ecdsa and ED25519 key types that are being disabled this way also Please, consider dropping this configuration change [2] from your install scripts. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698794 [2] https://github.com/freeipa/freeipa/blob/9c20641f5c8e9d4f813d0ba3e80b7ccc9df0ed15/ipaclient/install/client.py#L1111 The HostKeyAlgorithms setting is only added when ipa-client-install is invoked with --ssh-trust-dns. By default the internal flag trust_sshfp is False and the setting is not added to the global ssh config. Should IPA use a different setting for HostKeyAlgorithms or not touch HostKeyAlgorithms at all? Update from internal conversation with Simo and Rob: It is sufficient to remove the problematic HostKeyAlgorithms stanza from the ssh config file. Since it only affects the global ssh client config file, it is not necessary to restart any service. A simple sed call might be good enough. Upstream ticket: https://pagure.io/freeipa/issue/8082 Upstream fixed proposed in https://github.com/freeipa/freeipa/pull/3887 Fixed upstream master: https://pagure.io/freeipa/c/97a31e69e8399933d45006c744ddafcf036eca5f Fixed upstream ipa-4-8: https://pagure.io/freeipa/c/2422970c34849192b15d1798eae9b11a400e7119 Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/7cd1d565ac2b240eda697dbebb043a1a2885d23a Fixed in IPA 4.8.2 Test automation: master: https://pagure.io/freeipa/c/bba41dc85c8427992b5626b5a9daaf86c3b2a812 ipa-4-8: https://pagure.io/freeipa/c/ac67dc9d385e622750c0e205e7848cf2fde88387 ipa-4-6: https://pagure.io/freeipa/c/482bf8a53e64bb115f2a37a2973875937abbd7d4 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:1640 |