Bug 1264651 - weak ciphers should be disabled in rhnmd config to comply with security audits
Summary: weak ciphers should be disabled in rhnmd config to comply with security audits
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Monitoring
Version: 570
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Grant Gainey
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-19 21:46 UTC by Jan Hutař
Modified: 2019-08-15 05:28 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-28 18:21:46 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Jan Hutař 2015-09-19 21:46:34 UTC
Description of problem:
rhnmd should not allow MD5 and 96-bit MAC algorithms to comply with some security audits. For more info on sshd security hardening, please see:

https://access.redhat.com/solutions/420283


Version-Release number of selected component (if applicable):
rhnmd-5.3.18-2.el6sat.noarch
(possibly on RHEL5 and RHEL7 as well)


How reproducible:
always


Steps to Reproduce:
1. Setup Satellite 5.7.0 with monitoring and one client
2. Prepare "Linux: Load" probe (which is using rhnmd daemon)
3. Add these two lines ("Ciphers ..." and "MACs ...") mentioned in
   the KB article to the rhnmd_config on the client
4. Notice rhnmd is allowing weak ciphers (using "Diagnostic Steps" from
   the KB article - run these from satellite server and you should get
   the shell on the client):
   # ssh -vv -i /var/lib/nocpulse/.ssh/nocpulse-identity \
     -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc nocpulse@<client> -p 4545
   # ssh -vv -i /var/lib/nocpulse/.ssh/nocpulse-identity \
     -oMACs=hmac-md5 nocpulse@<client> -p 4545
5. Restart rhnmd on the client
6. Ensure the probe is still working
7. Ensure you do not get remote shell when you re-run commands from step "4."


Actual results:
It still works even with these weak ciphers disabled


Expected results:
These weak ciphers should be disabled by dafault


Additional info:
Originally reported via SFDC 01506231

Comment 1 Grant Gainey 2017-04-28 18:21:46 UTC
Monitoring has a number of issues, and is being removed in the upcoming SATELLITE-5.8 release. Closing, WONTFIX


Note You need to log in before you can comment on or make changes to this bug.