Bug 2223693
| Summary: | SSH login is allowed with MACs which is not present in /etc/ssh/sshd_config file [openssh] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Dushyant <duge> |
| Component: | openssh | Assignee: | Dmitry Belyavskiy <dbelyavs> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.8 | CC: | jjelen, npocs |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-01 12:52:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Could you please provide the session log? If we use AEAD cipher establishing the session, we use an implicit MAC and so the check is bypassed. |
Description of problem: SSH login is allowed with MACs which is not present in /etc/ssh/sshd_config file on openssh server. Version-Release number of selected component (if applicable): kernel -> 4.18.0-477.15.1.el8_8.x86_64 openssh version -> openssh-8.0p1-17.el8_7.x86_64 How reproducible: Openssh Server: -------------- ~]# ip addr | grep inet | grep enp0s8 inet 192.168.56.118/24 brd 192.168.56.255 scope global dynamic noprefixroute enp0s8 ~]# grep CRYPTO_POLICY /etc/sysconfig/sshd CRYPTO_POLICY= ~]# update-crypto-policies --show DEFAULT ~]# egrep MACs /etc/ssh/sshd_config MACs umac-128-etm,hmac-sha2-256-etm,hmac-sha2-512-etm,hmac-sha1-etm,umac-128,hmac-sha2-256,hmac-sha2-512,hmac-sha1 ~]# sshd -T | grep macs macs umac-128-etm,hmac-sha2-256-etm,hmac-sha2-512-etm,hmac-sha1-etm,umac-128,hmac-sha2-256,hmac-sha2-512,hmac-sha1 ~]# ps -ef | grep sshd root 10613 10609 0 08:21 ? 00:00:00 sshd: root@pts/1 root 11304 1 0 09:58 ? 00:00:00 /usr/sbin/sshd -D ~]# systemctl status sshd ● sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2023-07-18 09:58:41 EDT; 10min ago Docs: man:sshd(8) man:sshd_config(5) Main PID: 11304 (sshd) Tasks: 1 (limit: 11132) Memory: 2.7M CGroup: /system.slice/sshd.service └─11304 /usr/sbin/sshd -D Jul 18 09:58:41 myhostname.redhat.com systemd[1]: Starting OpenSSH server daemon... Jul 18 09:58:41 myhostname.redhat.com sshd[11304]: Server listening on 0.0.0.0 port 22. Jul 18 09:58:41 myhostname.redhat.com sshd[11304]: Server listening on :: port 22. Jul 18 09:58:41 myhostname.redhat.com systemd[1]: Started OpenSSH server daemon. Jul 18 10:02:46 myhostname.redhat.com sshd[11333]: Accepted password for root from 192.168.56.1 port 58234 ssh2 Jul 18 10:02:46 myhostname.redhat.com sshd[11333]: pam_unix(sshd:session): session opened for user root by (uid=0 Login from client system: ------------------------ [dushyant@uge ~]$ ssh -oMACs=umac-64-etm root.56.118 root.56.118's password: Last login: Tue Jul 18 09:54:43 2023 from 192.168.56.1 [root@myhostname ~]# Actual results: Event if the MACs is not present in /etc/ssh/sshd_config file the ssh login is possible. Expected results: SSH login with the particular MAC should not be allowed, if that MACs is not present in openssh server's /etc/ssh/sshd_config file.