Created attachment 1686396 [details] RHVH log Description of problem: Register RHVH 4.4 to Engine will fail when a security profile , draft stig or vpp, is selected, see errors: # systemctl status sshd ● sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2020-05-08 07:41:25 UTC; 23min ago ............... May 08 07:52:10 hp-dl385g8-03.lab.eng.pek2.redhat.com sshd[15459]: Unable to negotiate with 10.73.197.64 port 48540: no matching host key type found. Their offer: ssh-rsa [preauth] ............... # update-crypto-policies --show FIPS:OSPP NOTE: After run "update-crypto-policies --set DEFAULT" manually, register to engine can succeed. Version-Release number of selected component (if applicable): Host: redhat-virtualization-host-4.4.0-20200507.0.el8_2 imgbased-1.2.9-1.el8ev.noarch Engine: 4.4.0-0.33.master.el8ev How reproducible: 100% Steps to Reproduce: 1. Install RHVH-4.4-20200507.1-RHVH-x86_64-dvd1.iso via Anaconda GUI. 2. Select a security profile, draft stig or vpp, on security policy screen 3. Continue to finish other required configurations, and begin installation 4. Register RHVH to engine. Actual results: Register RHVH 4.4 to Engine will fail when security profile is selected Expected results: Register RHVH 4.4 to Engine can succeed even if security profile is selected. Additional info:
No such issue on redhat-virtualization-host-4.3.10-20200506.0.el7_8 build.
I got pinged by ansasaki about this issue. FIPS policy does not allow ssh-rsa mechanism (RSA with SHA1). What is the peer connecting to this host that is restricted to this mechanism and why it does not support rsa-sha2-256 and rsa-sha2-512 mechanisms?
Rhvm will connect to the host when adding host. Sandro, do you know who can answer whether rhvm supports rsa-sha2-256 and rsa-sha2-512?
From a start, it would be enough to configure sshd to log debug messages (put LogLevel DEBUG3 in /etc/ssh/sshd_config and restart sshd service) and attach the /var/log/secure log. It should give you at least identification of the client.
Please attach also /var/log from the engine. Thanks.
Created attachment 1687996 [details] /var/log of engine
It looks like the client connecting to our server is Apache SSHD [1]: > May 13 08:47:47 localhost sshd[4820]: debug1: Remote protocol version 2.0, remote software version APACHE-SSHD-2.2.0 Where does it come from? This is certainly not FIPS certifiable as it is. The simplest workaround would be changing the client (the apache sshd) to use ECDSA keys (hopefully, the apache will support that), but it will still not make the apache ssh implementation FIPS compliant. [1] https://mina.apache.org/sshd-project/index.html
(In reply to Jakub Jelen from comment #8) > It looks like the client connecting to our server is Apache SSHD [1]: > > > May 13 08:47:47 localhost sshd[4820]: debug1: Remote protocol version 2.0, remote software version APACHE-SSHD-2.2.0 > > Where does it come from? This is certainly not FIPS certifiable as it is. above info are from the host side. > > The simplest workaround would be changing the client (the apache sshd) to > use ECDSA keys (hopefully, the apache will support that), but it will still > not make the apache ssh implementation FIPS compliant. > > [1] https://mina.apache.org/sshd-project/index.html
Created attachment 1688273 [details] secure log
(In reply to Qin Yuan from comment #3) > Rhvm will connect to the host when adding host. > > Sandro, do you know who can answer whether rhvm supports rsa-sha2-256 and > rsa-sha2-512? Martin?
Moving to MODIFIED and marking as TestOnly, because fix should already be included in BZ1838159
Test version: redhat-virtualization-host-4.4.1-20200705.0.el8_2 engine: 4.4.1.7-0.3.el8ev Test result: Register RHVH 4.4 to Engine still got fail when security profile is selected. Move bug to ASSIGNED. ===================== Host cshao440705 installation failed. Task Install ovirt-host package failed to execute. Please check logs for more details: /var/log/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20200707010615-10.73.73.35-e2e887.log. TASK [ovirt-host-deploy-vdsm : Install ovirt-host package] ********************* 2020-07-07 01:07:15 CST - fatal: [10.73.73.35]: FAILED! => {"changed": false, "failures": ["No package ovirt-host available."], "msg": "Failed to install some of the specified packages", "rc": 1, "results": []} # rpm -qa| grep ovirt-host # NOTE: ovirt-host package is availabled if security profile is unselected. And the registration can succeed. # rpm -qa| grep ovirt-host ovirt-host-dependencies-4.4.1-4.el8ev.x86_64 ovirt-hosted-engine-setup-2.4.5-1.el8ev.noarch ovirt-hosted-engine-ha-2.4.4-1.el8ev.noarch ovirt-host-4.4.1-4.el8ev.x86_64
Created attachment 1700014 [details] new failed log from engine
I found there are some packages missed when security profile is selected. e.g. ovirt-host; vdsm; ovirt-hosted-engine-ha; ovirt-hosted-engine-setup;
resolved with bug 1729222 ?
Should have been solved by bug #1729222
Test version: redhat-virtualization-host-4.4.3-20201105.1.el8_3 imgbased-1.2.13-0.1.el8ev.noarch Test steps: 1. Install RHVH-4.4.3 via Anaconda GUI. 2. Select a security profile, draft stig or vpp, on security policy screen 3. Continue to finish other required configurations, and begin installation 4. Register RHVH to engine. Test results: Register RHVH 4.4 to Engine can succeed even if security profile is selected. So the bug is fixed, change bug status to VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat Virtualization security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5218