Description of problem:
In FIPS mode, curl segfaults when downloading via scp (see details below).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. add curltestuser account
# useradd -m curltestuser
2. create a test file
# su - curltestuser -c 'dd if=/dev/zero of=testfile bs=1M count=200'
3. Create ssh key (for FIPS you need RSA with more than 1024 bits)
# ssh-keygen -t rsa -f /root/.ssh/id_rsa -N ''
# mkdir /home/curltestuser/.ssh
# cat /root/.ssh/id_rsa.pub > /home/curltestuser/.ssh/authorized_keys
# chown -R curltestuser.curltestuser /home/curltestuser/.ssh/
4. Initiate curl scp download
# curl -v -o ./scp_file -u curltestuser: --key /root/.ssh/id_rsa \
--pubkey /root/.ssh/id_rsa.pub scp://localhost/home/curltestuser
* About to connect() to localhost port 22 (#0)
* Trying ::1... connected
* Connected to localhost (::1) port 22 (#0)
* Failed to read known hosts from /root/.ssh/known_hosts
Segmentation fault (core dumped)
This is not happening in a non-FIPS mode, where scp download works flawlessly.
Output from 'strace -f' is attached.
Created attachment 797937 [details]
Output of 'strace -f'.
Looks like a duplicate of bug 968575. Could you please check whether installing libssh2 from the private-bz968575 branch of dist-git fixes the problem?
Alternatively, I can check it myself if you have a RHEL-6 machines booting in FIPS that you can lend me for testing...
I just realized we have also bug 856100 against curl running in FIPS. Chances are we will have to fix both in RHEL-6. So we can use this bug as a RHEL-6 sibling of bug 856100.
(In reply to Kamil Dudka from comment #2)
> Looks like a duplicate of bug 968575. Could you please check whether
> installing libssh2 from the private-bz968575 branch of dist-git fixes the
> Alternatively, I can check it myself if you have a RHEL-6 machines booting
> in FIPS that you can lend me for testing...
Is this request still actual? I can test it easily (and I can give you rhel6 fips machine for a testing as well), I am just curious if BZ#856100 would not block me, if not, I can do it right away.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.