Bug 1829476

Summary: add rsa-sha2-256,rsa-sha2-512 to PubkeyAcceptedKeyTypes for OSPP
Product: Red Hat Enterprise Linux 8 Reporter: Steve Grubb <sgrubb>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: medium Docs Contact:
Priority: urgent    
Version: 8.1CC: awestbro, ggasparb, jjaburek, lmiksik, matyc, mhaicman, mthacker, wsato
Target Milestone: rcKeywords: ZStream
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.50-4.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1860297 1860298 (view as bug list) Environment:
Last Closed: 2020-11-04 02:30:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1510124, 1860297, 1860298    

Description Steve Grubb 2020-04-29 15:41:03 UTC 
Description of problem:
We need to have an update made top the 8.1 scap-security-guide.

rsa-sha2-256,rsa-sha2-512

need to be added under PubkeyAcceptedKeyTypes in

/etc/crypto-policies/local.d/opensshserver-ospp.config

to enable more crypto algorithms that we claim.
Comment 1 Jiri Jaburek 2020-04-29 17:45:29 UTC 
FTR; for ospp on 8.1, this is done by the "harden_sshd_crypto_policy" rule, which directly remediates the /etc/crypto-policies/local.d/opensshserver-ospp.config file, .. so the change should be as simple as adding the two keytypes to shared.sh and OVAL.
Comment 2 Jiri Jaburek 2020-05-06 13:13:59 UTC 
FTR; I've tested this on 8.2 as well and the issue is not present there (FIPS.pmod from crypto-policies correctly adds both KeyTypes).
Comment 3 Watson Yuuma Sato 2020-05-06 17:01:21 UTC 
Steve, is the order of the algorithms in PubkeyAcceptedKeyTypes important? If so, what should it be?
Comment 4 Steve Grubb 2020-05-06 17:49:30 UTC 
I don't think its order sensitive since its the client making the proposals. But just in case, add these to the beginning.
Comment 5 Vojtech Polasek 2020-05-14 07:18:03 UTC 
Fixed upstream: https://github.com/ComplianceAsCode/content/pull/5742
Comment 7 Matěj Týč 2020-05-28 09:10:21 UTC 
The BZ is Modified, because the pull request has been backported to the 8.1 CC branch.
Comment 19 errata-xmlrpc 2020-11-04 02:30:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4626