Red Hat Bugzilla – Bug 1264651
weak ciphers should be disabled in rhnmd config to comply with security audits
Last modified: 2017-04-28 14:21:46 EDT
Description of problem: rhnmd should not allow MD5 and 96-bit MAC algorithms to comply with some security audits. For more info on sshd security hardening, please see: https://access.redhat.com/solutions/420283 Version-Release number of selected component (if applicable): rhnmd-5.3.18-2.el6sat.noarch (possibly on RHEL5 and RHEL7 as well) How reproducible: always Steps to Reproduce: 1. Setup Satellite 5.7.0 with monitoring and one client 2. Prepare "Linux: Load" probe (which is using rhnmd daemon) 3. Add these two lines ("Ciphers ..." and "MACs ...") mentioned in the KB article to the rhnmd_config on the client 4. Notice rhnmd is allowing weak ciphers (using "Diagnostic Steps" from the KB article - run these from satellite server and you should get the shell on the client): # ssh -vv -i /var/lib/nocpulse/.ssh/nocpulse-identity \ -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc nocpulse@<client> -p 4545 # ssh -vv -i /var/lib/nocpulse/.ssh/nocpulse-identity \ -oMACs=hmac-md5 nocpulse@<client> -p 4545 5. Restart rhnmd on the client 6. Ensure the probe is still working 7. Ensure you do not get remote shell when you re-run commands from step "4." Actual results: It still works even with these weak ciphers disabled Expected results: These weak ciphers should be disabled by dafault Additional info: Originally reported via SFDC 01506231
Monitoring has a number of issues, and is being removed in the upcoming SATELLITE-5.8 release. Closing, WONTFIX