Bug 1778224
| Summary: | ssh client prints "FIPS mode initialized" to stderr | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Christian Heimes <cheimes> |
| Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.2 | CC: | omoris, tcrider, tmraz, vikram.khatri |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.2 | Flags: | jjelen:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openssh-8.0p1-5.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 01:31:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Christian Heimes
2019-11-29 14:14:12 UTC
It's an easy fix, just replace
logit("FIPS mode initialized");
with
debug("FIPS mode initialized");
near ssh.c:1290
As OpenSSH is no longer a FIPS module it should be no problem to apply this proposed change from comment 1. This message was there for ages. It just means that you never tried to run IPA in FIPS before. But I agree with Tomas. As we no longer certify OpenSSH, this message probably does not need to be there at all, isn't it Tomas (less patches always better)? As we do not have errata in RHEL 8.2 and this does not look like super-high priority, I postponed it to the next release. IPA works fine in FIPS mode. The issue does not break IPA itself but rather automated tests. We are currently in the process to enable all upstream integration tests to verify that all features work in FIPS mode. The integration test system spams a couple of VMs and then runs test scenarios over SSH. Some of the tests are failing in FIPS mode because they get confused by additional text in stderr. (In reply to Jakub Jelen from comment #3) > But I agree with Tomas. As we no longer certify OpenSSH, this message > probably does not need to be there at all, isn't it Tomas (less patches > always better)? I suppose you still need to change behavior of openssh based on whether the FIPS mode is enabled or not, for that reason I would recommend keeping that message in the debug output. Of course if this was the only invocation of FIPS_mode() call in the openssh I would not block removing it altogether. There are still a few conditions with FIPS_mode() in fips patch so I will change it to debug message in the next release. The message "FIPS mode initialized" is very annoying. Christian Heimes mentions that it is an easy fix. Can you please make sure that this is available in next release. Also,request to backport to RHEL 7.x versions. This annoying message breaks automation. Thank YOU, Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openssh bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4439 |