Bug 1893059
| Summary: | Satellite 6.8 Remote Execution fails on RHEL 8.2 clients with DEFAULT:NO-SHA1 crypto policy | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Shane Boulden <sboulden> |
| Component: | Remote Execution | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | CLOSED ERRATA | QA Contact: | Peter Ondrejka <pondrejk> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.8.0 | CC: | aruzicka, bdm, lstejska, pcreech |
| Target Milestone: | 6.11.0 | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tfm-rubygem-smart_proxy_remote_execution_ssh-0.5.0 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-07-05 14:28:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Looks like the support for using rsa-sha2-256 and rsa-sha2-512 as PubkeyAcceptedKeyTypes is a bit wonky in the ssh library we use. I managed to reproduce the issue even with its latest version even though it should be fully supported there. Revived the issue there https://github.com/net-ssh/net-ssh/issues/712#issuecomment-720403946 Verified on Satellite 7.0 snap 4, ssh type rex job ran successfully against RHEL8 host with DEFAULT:NO-SHA1 crypto policy enabled Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5498 |
Description of problem: Remote Execution fails when RHEL 8.2 clients are configured with the DEFAULT:NO-SHA1 systemwide crypto policy Version-Release number of selected component (if applicable): satellite-6.8.0-1.el7sat.noarch crypto-policies-20191128-2.git23e1bf1.el8.noarch How reproducible: Every time Steps to Reproduce: 1. Configure the NO-SHA1 crypto policy on a RHEL 8.2 client: update-crypto-policies --set DEFAULT:NO-SHA1 2. From Satellite, copy foreman-proxy SSH keys to the client: ssh-copy-id -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy.pub user.xx.xx 3. Verify SSH works: ssh -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy user.xx.xx 4. Schedule a remote execution job from Satellite: All hosts -> select host -> Schedule remote job Job Category: Commands Job template: Run Command - SSH Default Command: hostname Actual results: Remote job fails Expected results: Remote job succeeds Additional info: Satellite reports the following in /var/log/foreman/production.log: Parameters: {"callback"=>{"task_id"=>"f11391f0-e310-49bc-8ffa-7497e0b1cd38", "step_id"=>3}, "data"=>{"result"=>[{"output_type"=>" debug", "output"=>"Error initializing command: Net::SSH::AuthenticationFailed - Authentication failed for user user.xx.xx", "timestamp"=>1604018256.3824 368}], "runner_id"=>"a82ae4db-f852-4790-8fa0-fed85c65e610", "exit_status"=>"EXCEPTION"}, "task"=>{}} The client reports the following in /var/log/secure: sshd[8898]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth] Disabling the NO-SHA1 policy enables remote execution to proceed: update-crypto-policies --set DEFAULT systemctl restart sshd