Bug 2073567

Summary: gpg-agent cannot handle ssh keys in FIPS
Product: Red Hat Enterprise Linux 9 Reporter: Stanislav Zidek <szidek>
Component: gnupg2Assignee: Jakub Jelen <jjelen>
Status: CLOSED ERRATA QA Contact: Stanislav Zidek <szidek>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: medium    
Version: 9.0CC: jjelen
Target Milestone: rcKeywords: Regression, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gnupg2-2.3.3-3.el9 Doc Type: Bug Fix
Doc Text:
.`gpg-agent` now works as an SSH agent in FIPS mode Previously, the `gpg-agent` tool created MD5 fingerprints when adding keys to the `ssh-agent` program even though FIPS mode disabled the MD5 digest. As a consequence, the `ssh-add` utility failed to add the keys to the authentication agent. With this release, `gpg-agent` no longer use MD5 checksums. As a result, `gpg-agent` now works as an SSH authentication agent also on systems running in FIPS mode.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:43:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stanislav Zidek 2022-04-08 20:26:59 UTC 
Description of problem:
In FIPS mode, 'gpg-agent --daemon --enable-ssh-support' can add keys (ssh-add ...), but then gives 'The agent has no identities.' when trying to list them (ssh-add -l). 

Version-Release number of selected component (if applicable):
gnupg2-2.3.3-1.el9.x86_64
libgcrypt-1.10.0-3.el9.x86_64
openssh-8.7p1-8.el9.x86_64

How reproducible:
always

Steps to Reproduce:
1. dnf install -y pinentry-tty
2. ssh-keygen -f testkey -P ''
3. gpg-agent --daemon --enable-ssh-support >envs
4. source envs
5. ssh-add testkey
6. ssh-add -l

Actual results:

# ssh-add testkey
Please enter a passphrase to protect the received secret key
   SHA256:IHw/1uKMQBjUXcFZItMsF2wnWP4fWJuubkSJxSBgvZw
   root.local
within gpg-agent's key storage
Passphrase: 
Repeat: 
Identity added: testkey (root.local)

# ssh-add -l
The agent has no identities.


Expected results:

# ssh-add -l
3072 SHA256:IHw/1uKMQBjUXcFZItMsF2wnWP4fWJuubkSJxSBgvZw root.local (RSA)

Additional info:

Test /CoreOS/gnupg2/Regression/bz638635-gpg-agent-fails-to-encode-iteration-count-into-keys reproduces this issue.
Comment 1 Jakub Jelen 2022-04-11 14:13:51 UTC 
The problem is caused by the gnupg2 trying to create MD5 fingerprint when writing the sshcontrol file in here:

  https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/command-ssh.c;h=a7784e728d9df7b37bdd1a6af73684ecb03e3b02;hb=HEAD#l1097

There is a workaround to add the entry to this file manually.

In long term, the gnupg should avoid using the md5 fingerprints in FIPS mode. It should be quite simple to avoid this, especially when this is used only in a comment describing the key.
Comment 2 Jakub Jelen 2022-04-13 14:15:45 UTC 
Upstream issue: https://dev.gnupg.org/T5929
Comment 15 errata-xmlrpc 2023-11-07 08:43:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (gnupg2 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6597