Bug 1264651 - weak ciphers should be disabled in rhnmd config to comply with security audits
weak ciphers should be disabled in rhnmd config to comply with security audits
Status: CLOSED WONTFIX
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Monitoring (Show other bugs)
570
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Grant Gainey
Red Hat Satellite QA List
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-19 17:46 EDT by Jan Hutař
Modified: 2017-04-28 14:21 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-04-28 14:21:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Hutař 2015-09-19 17:46:34 EDT
Description of problem:
rhnmd should not allow MD5 and 96-bit MAC algorithms to comply with some security audits. For more info on sshd security hardening, please see:

https://access.redhat.com/solutions/420283


Version-Release number of selected component (if applicable):
rhnmd-5.3.18-2.el6sat.noarch
(possibly on RHEL5 and RHEL7 as well)


How reproducible:
always


Steps to Reproduce:
1. Setup Satellite 5.7.0 with monitoring and one client
2. Prepare "Linux: Load" probe (which is using rhnmd daemon)
3. Add these two lines ("Ciphers ..." and "MACs ...") mentioned in
   the KB article to the rhnmd_config on the client
4. Notice rhnmd is allowing weak ciphers (using "Diagnostic Steps" from
   the KB article - run these from satellite server and you should get
   the shell on the client):
   # ssh -vv -i /var/lib/nocpulse/.ssh/nocpulse-identity \
     -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc nocpulse@<client> -p 4545
   # ssh -vv -i /var/lib/nocpulse/.ssh/nocpulse-identity \
     -oMACs=hmac-md5 nocpulse@<client> -p 4545
5. Restart rhnmd on the client
6. Ensure the probe is still working
7. Ensure you do not get remote shell when you re-run commands from step "4."


Actual results:
It still works even with these weak ciphers disabled


Expected results:
These weak ciphers should be disabled by dafault


Additional info:
Originally reported via SFDC 01506231
Comment 1 Grant Gainey 2017-04-28 14:21:46 EDT
Monitoring has a number of issues, and is being removed in the upcoming SATELLITE-5.8 release. Closing, WONTFIX

Note You need to log in before you can comment on or make changes to this bug.