Bug 1872688
Summary: | Remote execution will fail on client with FIPS enabled | |||
---|---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Jan Jansky <jjansky> | |
Component: | Remote Execution | Assignee: | satellite6-bugs <satellite6-bugs> | |
Status: | CLOSED ERRATA | QA Contact: | Peter Ondrejka <pondrejk> | |
Severity: | medium | Docs Contact: | ||
Priority: | high | |||
Version: | 6.7.0 | CC: | ahumbe, ajambhul, arahaman, aruzicka, avroy, bdm, casmith, georgerobinson, jalviso, juraj.bocinec, juraj.bocinec, kkinge, lstejska, pcreech, redhatbugs, saydas | |
Target Milestone: | 6.11.0 | Keywords: | PrioBumpGSS, Triaged | |
Target Release: | Unused | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | tfm-rubygem-smart_proxy_remote_execution_ssh-0.5.0 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2027341 (view as bug list) | Environment: | ||
Last Closed: | 2022-07-05 14:28:21 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Jan Jansky
2020-08-26 12:40:05 UTC
The problem is that Satellite 6.8 internally uses v4.2.0 of the Ruby Net::SSH library to run remote jobs, but that library doesn't support the FIPS key algorithms (rsa-sha2-256/rsa-sha2-512) until v6.2.0: https://github.com/net-ssh/net-ssh/pull/771 As a work-around, you can select "Job Category: Ansible Commands" instead of "Job Category: Commands" when running Jobs in Satellite. This works because Ansible uses the `ssh` executable instead of using a the Ruby Net::SSH library. Greetings, is there any ETA on resolving this? Seems this workaround won't help if i try to apply errata for host as it seems to use SSH REX instead of Ansible Commands. Or should i open RH support case? We use Satellite 6.9.1. Thank you. In theory you should be able to go to Administer > Remote execution features, pick Katello errata install and change the job template to "Install errata - Katello ansible default" to use ansible even for errata application. Thank you for this info, i confirm that after switching to ansible method, install errata now works for RHEL8 client. *** Bug 2027341 has been marked as a duplicate of this bug. *** How is "downgrade to katello agent" (now deprecated) or "decrease your security to fail audits" and accepted solution? Looks like upstream is fixed. If that's true, we need this merged ASAP. https://projects.theforeman.org/issues/33198 (In reply to George R from comment #19) > How is "downgrade to katello agent" (now deprecated) or "decrease your > security to fail audits" and accepted solution? > Looks like upstream is fixed. If that's true, we need this merged ASAP. > https://projects.theforeman.org/issues/33198 Since I can't spontaneous comment above, let me post the more considered version. The real bug is me hitting save too soon. Since ssh rex is the direction, and the release notes for 6.10 show that the next version of satellite will remove the agent, using katello agent feels more like a work around. Here's a better overview: The upstream project, Foreman, addressed this in issue #33198, which is to use the native ssh instead of net::ssh That translates into BZ issue #1872688, where it shows target milestone of 7.0. Based on the past cadence, we can hope for release of 7.0 to be near Summit which is usually in May. I'm a bit lost, where are we suggesting to downgrade to katello agent? Is there a reason why (until 7.0 lands) you could not use ansible instead of "raw" ssh rex? It should have no issues with fips-enabled hosts and I'd say it is the only sane workaround for this BZ. Verified on Satellite 7 snap 4, ssh type rex job is executed successfully against FIPS enabled RHEL8 host Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5498 |