Bug 1438414 - RHEL7.4 in FIPS mode is unable to ssh into RHEL4.9
Summary: RHEL7.4 in FIPS mode is unable to ssh into RHEL4.9
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh
Version: 7.4
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Stefan Dordevic
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-03 11:48 UTC by Jan Stancek
Modified: 2018-08-07 15:17 UTC (History)
7 users (show)

Fixed In Version: openssh-7.4p1-3.el7
Doc Type: Deprecated Functionality
Doc Text:
This update removes SHA1-based key exchange algorithms from the default list in FIPS mode. They can still be re-enabled using the configuration snippet below: KexAlgorithms=+diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
Clone Of:
Environment:
Last Closed: 2017-08-01 18:42:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2029 normal SHIPPED_LIVE Moderate: openssh security, bug fix, and enhancement update 2017-08-01 18:11:55 UTC

Description Jan Stancek 2017-04-03 11:48:39 UTC
Description of problem:
RHEL7.4 in FIPS mode with openssh-7.4p1-1.el7 and later is no longer able to ssh into RHEL4.9, for example:

# ssh -vvv ibm-hs21-04.lab.bos.redhat.com
OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
FIPS mode initialized
debug2: resolving "ibm-hs21-04.lab.bos.redhat.com" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to ibm-hs21-04.lab.bos.redhat.com [2620:52:0:102f:21a:64ff:fe5c:f17e] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.* compat 0x01000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to ibm-hs21-04.lab.bos.redhat.com:22 as 'root'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: MACs ctos: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
debug2: MACs stoc: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none,zlib
debug2: compression stoc: none,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: (no match)
Unable to negotiate with 2620:52:0:102f:21a:64ff:fe5c:f17e port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Version-Release number of selected component (if applicable):
openssh-7.4p1-2.el7

How reproducible:
100%

Steps to Reproduce:
ssh from FIPS RHEL7.4 into RHEL4.9

Actual results:
unable to ssh in RHEL4.9

Expected results:
ssh into RHEL4.9 is possible (at least with some workaround)

Additional info:

Comment 2 Jan Stancek 2017-04-03 11:52:54 UTC
See also: Bug 1324493 - Update the list of FIPS approved algorithms

Comment 3 Tomas Mraz 2017-04-03 12:21:42 UTC
I'd say this is expected and acceptable.

Comment 4 Jakub Jelen 2017-04-04 07:38:48 UTC
(In reply to Tomas Mraz from comment #3)
> I'd say this is expected and acceptable.

Well, the main point was that this was working in RHEL7.3 and the change was propagated from the Fedora bug #1324493.
The main question is if this is something that FIPS enforces or we should rather aim for compatibility (with RHEL7.3 and also with legacy RHEL4.9).
If we hit this issue in our own infrastructure, it is very likely that there will be similar issue and setup somewhere in the wild in customers deployments.

Tomas, if you are ok with this change, we will certainly have to make sure it will be documented.

Comment 5 Tomas Mraz 2017-04-04 11:36:46 UTC
The deprecation of SHA1 for FIPS is a known fact, so I think just documenting the change (with the possible workaround by explicitly allowing the SHA1 based DH methods) is sufficient.

Comment 6 Jakub Jelen 2017-04-04 13:25:47 UTC
Sorry for coming up with details gradually (this should have been in the original report). But the problem is that when the cipher is not allowed in the FIPS, there is no workaround. The kex is not known to OpenSSH in FIPS.

By manually selecting the cipher it leads to

    "diffie-hellman-group1-sha1" is not allowed in FIPS mode

so from there was the question how is the status of SHA1 in FIPS and what of the options would be acceptable for FIPS:

 * Do we want the same behavior as in RHEL7.3: Enabled in default proposal
 * Not in default proposal, possible to enable using configuration (preferred)
 * Not in default proposal, unable to enable (current behavior of RHEL 7.4 package)

Comment 7 Tomas Mraz 2017-04-04 14:03:57 UTC
I think the second option is the best.

Comment 8 Jakub Jelen 2017-04-04 14:51:54 UTC
I will restore both the methods that were allowed in RHEL 7.3:

  diffie-hellman-group-exchange-sha1
  diffie-hellman-group14-sha1

They will not be offered by default (not on client nor server), but  they can be re-enabled using configuration option such as

  ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 user@legacyhost

or using configuration as described in http://www.openssh.com/legacy.html

The diffie-hellman-group-exchange-sha1 was disabled in RHEL7.3 and will stay so.

Comment 11 Jan Stancek 2017-04-25 12:38:55 UTC
It still fails for me with openssh-7.4p1-3.el7:

# ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 user@rhel4
FIPS mode initialized
Unable to negotiate with 10.10.10.10 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

# echo $?
255

# cat /proc/sys/crypto/fips_enabled
1

Comment 12 Jakub Jelen 2017-04-25 15:43:06 UTC
Can you post a debug log from

  ssh -vvv -oKexAlgorithms=+diffie-hellman-group14-sha1 user@rhel4

Comment 13 Jan Stancek 2017-04-26 07:00:56 UTC
# ssh -vvv -oKexAlgorithms=+diffie-hellman-group14-sha1 user@rhel4
OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
FIPS mode initialized
debug2: resolving "rhel4" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to rhel4 [10.10.10.10] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.* compat 0x01000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to rhel4:22 as 'user'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: MACs ctos: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
debug2: MACs stoc: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none,zlib
debug2: compression stoc: none,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: (no match)
Unable to negotiate with 10.10.10.10 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Comment 14 Jakub Jelen 2017-04-26 08:13:45 UTC
I see suspicious comma in the line

    debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,,diffie-hellman-group14-sha1,ext-info-c

which might cause these problems. I don't see it it non-FIPS mode. As a possible workaround, the following should work:

    ssh -vvv -oKexAlgorithms=diffie-hellman-group14-sha1 user@rhel4

I can reproduce the same problem with my machine if I try to pass the bogus comma to the algorithm list

    ssh -vvv -oKexAlgorithms=,diffie-hellman-group14-sha1 user@localhost

It is certainly bug in the FIPS offered list. This should not be in the default configuration, but the parser itself should not choke on that (it ends when it does not find the anything in front of comma).

I will respin the package as soon as I will find out how to put it together.

Comment 18 errata-xmlrpc 2017-08-01 18:42:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2029


Note You need to log in before you can comment on or make changes to this bug.