Bug 1801849

Summary: LEGACY policy prefers weaker algorithms preventing ssh authentication using RSA keys to FIPS server
Product: Red Hat Enterprise Linux 8 Reporter: Jakub Jelen <jjelen>
Component: crypto-policiesAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: high Docs Contact:
Priority: high    
Version: 8.2CC: nmavrogi, omoris, ssorce, szidek
Target Milestone: rcKeywords: Triaged
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: crypto-policies-20200527-1.git63fc906.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 01:58:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1825061    

Description Jakub Jelen 2020-02-11 18:12:01 UTC 
Description of problem:
It turns out that LEGACY crypto policy prefers weaker algorithms (ssh-rsa) to SHA2 based (rsa-sha2-256) in public keys algorithms for SSH, which causes it failing to authenticate to FIPS servers, which do not allow these weaker algorithms.

OpenSSH is trying the first supported algorithm (from the RSA variants) that is in the list and as there is no way to negotiate what the server supports, it fails after one attempt.

This problem does not happen in DEFAULT policy, as it already has the SHA2 variants in front of the SHA1.

Version-Release number of selected component (if applicable):
all RHEL8 versions

How reproducible:
deterministic

Steps to Reproduce:
1. Configure FIPS system as a SSH server
2. Configure client with LEGACY crypto policy 
3. Generate rsa key on client, copy the public key to the server
4. Try to connect using publickey authentication

Actual results:
the server rejects our key:
sshd[19281]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]

Expected results:
The key is sent with rsa-sha2-256/512 sig type and is accepted by server.
Comment 1 Simo Sorce 2020-02-11 18:19:02 UTC 
Will changing the order for LEGACY policy cause any issues trying to connect to older servers that support only sha-rsa and no the (now preferred) rsa-sha2-256/512 algorithms ?
Comment 2 Jakub Jelen 2020-02-11 18:23:30 UTC 
(In reply to Simo Sorce from comment #1)
> Will changing the order for LEGACY policy cause any issues trying to connect
> to older servers that support only sha-rsa and no the (now preferred)
> rsa-sha2-256/512 algorithms ?

As far as I know, it should not, at least for OpenSSH.

The servers supporting rsa-sha2 need to advertise these algorithms in the server-sig-alg extension [1] and the client should send the SHA2 signatures only to the servers that support it and fall back to legacy ssh-rsa algorithm otherwise.

[1] https://tools.ietf.org/html/rfc8308#section-3.1
Comment 4 Simo Sorce 2020-03-02 16:20:18 UTC 
We definitely want this.
Comment 11 errata-xmlrpc 2020-11-04 01:58:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (crypto-policies bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4536