RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1438414 - RHEL7.4 in FIPS mode is unable to ssh into RHEL4.9
Summary: RHEL7.4 in FIPS mode is unable to ssh into RHEL4.9
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh
Version: 7.4
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Stefan Dordevic
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-03 11:48 UTC by Jan Stancek
Modified: 2021-09-09 12:13 UTC (History)
9 users (show)

Fixed In Version: openssh-7.4p1-3.el7
Doc Type: Deprecated Functionality
Doc Text:
This update removes SHA1-based key exchange algorithms from the default list in FIPS mode. They can still be re-enabled using the configuration snippet below: KexAlgorithms=+diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
Clone Of:
Environment:
Last Closed: 2017-08-01 18:42:47 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2029 0 normal SHIPPED_LIVE Moderate: openssh security, bug fix, and enhancement update 2017-08-01 18:11:55 UTC

Description Jan Stancek 2017-04-03 11:48:39 UTC 
Description of problem:
RHEL7.4 in FIPS mode with openssh-7.4p1-1.el7 and later is no longer able to ssh into RHEL4.9, for example:

# ssh -vvv ibm-hs21-04.lab.bos.redhat.com
OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
FIPS mode initialized
debug2: resolving "ibm-hs21-04.lab.bos.redhat.com" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to ibm-hs21-04.lab.bos.redhat.com [2620:52:0:102f:21a:64ff:fe5c:f17e] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.* compat 0x01000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to ibm-hs21-04.lab.bos.redhat.com:22 as 'root'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01,ecdsa-sha2-nistp384-cert-v01,ecdsa-sha2-nistp521-cert-v01,ssh-ed25519-cert-v01,ssh-rsa-cert-v01,ssh-dss-cert-v01,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc.se
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc.se
debug2: MACs ctos: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm,hmac-sha2-256-etm,hmac-sha2-512-etm
debug2: MACs stoc: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm,hmac-sha2-256-etm,hmac-sha2-512-etm
debug2: compression ctos: none,zlib,zlib
debug2: compression stoc: none,zlib,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none,zlib
debug2: compression stoc: none,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: (no match)
Unable to negotiate with 2620:52:0:102f:21a:64ff:fe5c:f17e port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Version-Release number of selected component (if applicable):
openssh-7.4p1-2.el7

How reproducible:
100%

Steps to Reproduce:
ssh from FIPS RHEL7.4 into RHEL4.9

Actual results:
unable to ssh in RHEL4.9

Expected results:
ssh into RHEL4.9 is possible (at least with some workaround)

Additional info:
Comment 2 Jan Stancek 2017-04-03 11:52:54 UTC 
See also: Bug 1324493 - Update the list of FIPS approved algorithms
Comment 3 Tomas Mraz 2017-04-03 12:21:42 UTC 
I'd say this is expected and acceptable.
Comment 4 Jakub Jelen 2017-04-04 07:38:48 UTC 
(In reply to Tomas Mraz from comment #3)
> I'd say this is expected and acceptable.

Well, the main point was that this was working in RHEL7.3 and the change was propagated from the Fedora bug #1324493.
The main question is if this is something that FIPS enforces or we should rather aim for compatibility (with RHEL7.3 and also with legacy RHEL4.9).
If we hit this issue in our own infrastructure, it is very likely that there will be similar issue and setup somewhere in the wild in customers deployments.

Tomas, if you are ok with this change, we will certainly have to make sure it will be documented.
Comment 5 Tomas Mraz 2017-04-04 11:36:46 UTC 
The deprecation of SHA1 for FIPS is a known fact, so I think just documenting the change (with the possible workaround by explicitly allowing the SHA1 based DH methods) is sufficient.
Comment 6 Jakub Jelen 2017-04-04 13:25:47 UTC 
Sorry for coming up with details gradually (this should have been in the original report). But the problem is that when the cipher is not allowed in the FIPS, there is no workaround. The kex is not known to OpenSSH in FIPS.

By manually selecting the cipher it leads to

    "diffie-hellman-group1-sha1" is not allowed in FIPS mode

so from there was the question how is the status of SHA1 in FIPS and what of the options would be acceptable for FIPS:

 * Do we want the same behavior as in RHEL7.3: Enabled in default proposal
 * Not in default proposal, possible to enable using configuration (preferred)
 * Not in default proposal, unable to enable (current behavior of RHEL 7.4 package)
Comment 7 Tomas Mraz 2017-04-04 14:03:57 UTC 
I think the second option is the best.
Comment 8 Jakub Jelen 2017-04-04 14:51:54 UTC 
I will restore both the methods that were allowed in RHEL 7.3:

  diffie-hellman-group-exchange-sha1
  diffie-hellman-group14-sha1

They will not be offered by default (not on client nor server), but  they can be re-enabled using configuration option such as

  ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 user@legacyhost

or using configuration as described in http://www.openssh.com/legacy.html

The diffie-hellman-group-exchange-sha1 was disabled in RHEL7.3 and will stay so.
Comment 11 Jan Stancek 2017-04-25 12:38:55 UTC 
It still fails for me with openssh-7.4p1-3.el7:

# ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 user@rhel4
FIPS mode initialized
Unable to negotiate with 10.10.10.10 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

# echo $?
255

# cat /proc/sys/crypto/fips_enabled
1
Comment 12 Jakub Jelen 2017-04-25 15:43:06 UTC 
Can you post a debug log from

  ssh -vvv -oKexAlgorithms=+diffie-hellman-group14-sha1 user@rhel4
Comment 13 Jan Stancek 2017-04-26 07:00:56 UTC 
# ssh -vvv -oKexAlgorithms=+diffie-hellman-group14-sha1 user@rhel4
OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
FIPS mode initialized
debug2: resolving "rhel4" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to rhel4 [10.10.10.10] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.* compat 0x01000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to rhel4:22 as 'user'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01,ecdsa-sha2-nistp384-cert-v01,ecdsa-sha2-nistp521-cert-v01,ssh-ed25519-cert-v01,ssh-rsa-cert-v01,ssh-dss-cert-v01,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc.se
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc.se
debug2: MACs ctos: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm,hmac-sha2-256-etm,hmac-sha2-512-etm
debug2: MACs stoc: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm,hmac-sha2-256-etm,hmac-sha2-512-etm
debug2: compression ctos: none,zlib,zlib
debug2: compression stoc: none,zlib,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none,zlib
debug2: compression stoc: none,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: (no match)
Unable to negotiate with 10.10.10.10 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Comment 14 Jakub Jelen 2017-04-26 08:13:45 UTC 
I see suspicious comma in the line

    debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,,diffie-hellman-group14-sha1,ext-info-c

which might cause these problems. I don't see it it non-FIPS mode. As a possible workaround, the following should work:

    ssh -vvv -oKexAlgorithms=diffie-hellman-group14-sha1 user@rhel4

I can reproduce the same problem with my machine if I try to pass the bogus comma to the algorithm list

    ssh -vvv -oKexAlgorithms=,diffie-hellman-group14-sha1 user@localhost

It is certainly bug in the FIPS offered list. This should not be in the default configuration, but the parser itself should not choke on that (it ends when it does not find the anything in front of comma).

I will respin the package as soon as I will find out how to put it together.
Comment 18 errata-xmlrpc 2017-08-01 18:42:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2029
Comment 23 Franco DiRosa 2021-01-04 13:47:05 UTC 
This errata does not make sense at all.  It is in regards to diffie-hellman-group1-sha1 and the discussion is in enabling it but it appears it is disabled in RHEL 7.  The text below seems incorrect also which is a post above.  It says the diffie-hellman-group-exchange-sha1 will be allowed to be enabled by option but then it says it will be disabled and nothing about DH group1 which was the original question.

Jakub Jelen 2017-04-04 14:51:54 UTC
I will restore both the methods that were allowed in RHEL 7.3:

  diffie-hellman-group-exchange-sha1
  diffie-hellman-group14-sha1

They will not be offered by default (not on client nor server), but  they can be re-enabled using configuration option such as

  ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 user@legacyhost

or using configuration as described in http://www.openssh.com/legacy.html

The diffie-hellman-group-exchange-sha1 was disabled in RHEL7.3 and will stay so.
Comment 24 Jakub Jelen 2021-01-04 14:14:17 UTC 
(In reply to Franco DiRosa from comment #23)
> This errata does not make sense at all.

This is not an errata, but a bug closed more than three years ago with couple of comments. If you have a question to errata, please, contact your Red Hat support.

> It is in regards to
> diffie-hellman-group1-sha1 and the discussion is in enabling it but it
> appears it is disabled in RHEL 7.

Right. In FIPS mode, it is not available. Outside of FIPS mode it is generally available and there is no need to reenable it

> The text below seems incorrect also which
> is a post above.  It says the diffie-hellman-group-exchange-sha1 will be
> allowed to be enabled by option but then it says it will be disabled and
> nothing about DH group1 which was the original question.

Can you point me to the original question, which references the group1? If you mean the comment #6, it is just an example log.

The diffie-hellman-group-exchange-sha1 in the last sentence should have been "diffie-hellman-group1-sha1" and again references only to FIPS.

What is important is in the doc text that went to errata is correct:

> This update removes SHA1-based key exchange algorithms from the default list in FIPS mode. They can still be re-enabled using the configuration snippet below:
> 
>   KexAlgorithms=+diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
Note You need to log in before you can comment on or make changes to this bug.