Description of problem: If client have FIPS enabled remote execution will fail with "userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]". ssh itself work fine as key type is ssh-rsa2-512 which is allowed, not sure what is overwritting key type when executed from WebUI. I have tested this only on RHEL 8 client. Not sure if same issue is with other versions. How reproducible: Always Steps to Reproduce: 1. Enable FIPS on client 2. Create ReX job for example "df -h" Actual results: on Satellite: Error initializing command: Net::SSH::AuthenticationFailed - Authentication failed for user username.com Exit status: EXCEPTION on client: Aug 26 11:47:54 client.example.com sshd[36555]: FIPS mode initialized Aug 26 11:47:54 client.example.com sshd[36555]: Using arbitrary primes is not allowed in FIPS mode. Falling back to known groups. Aug 26 11:47:54 client.example.com sshd[36555]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth] Aug 26 11:47:54 client.example.com sshd[36555]: Connection closed by authenticating user username xxx.xxx.xxx.xxx port 49080 [preauth] Expected results: Job successful on client: Aug 26 11:51:00 client.example.com sshd[36627]: FIPS mode initialized Aug 26 11:51:00 client.example.com sshd[36627]: Using arbitrary primes is not allowed in FIPS mode. Falling back to known groups. Aug 26 11:51:01 client.example.com sshd[36627]: Accepted publickey for username from xxx.xxx.xxx.xxx port 49332 ssh2: RSA SHA256:hash Aug 26 11:51:01 client.example.com systemd-logind[1001]: New session xxx of user username.
The problem is that Satellite 6.8 internally uses v4.2.0 of the Ruby Net::SSH library to run remote jobs, but that library doesn't support the FIPS key algorithms (rsa-sha2-256/rsa-sha2-512) until v6.2.0: https://github.com/net-ssh/net-ssh/pull/771 As a work-around, you can select "Job Category: Ansible Commands" instead of "Job Category: Commands" when running Jobs in Satellite. This works because Ansible uses the `ssh` executable instead of using a the Ruby Net::SSH library.
Greetings, is there any ETA on resolving this? Seems this workaround won't help if i try to apply errata for host as it seems to use SSH REX instead of Ansible Commands. Or should i open RH support case? We use Satellite 6.9.1. Thank you.
In theory you should be able to go to Administer > Remote execution features, pick Katello errata install and change the job template to "Install errata - Katello ansible default" to use ansible even for errata application.
Thank you for this info, i confirm that after switching to ansible method, install errata now works for RHEL8 client.
*** Bug 2027341 has been marked as a duplicate of this bug. ***
How is "downgrade to katello agent" (now deprecated) or "decrease your security to fail audits" and accepted solution? Looks like upstream is fixed. If that's true, we need this merged ASAP. https://projects.theforeman.org/issues/33198
(In reply to George R from comment #19) > How is "downgrade to katello agent" (now deprecated) or "decrease your > security to fail audits" and accepted solution? > Looks like upstream is fixed. If that's true, we need this merged ASAP. > https://projects.theforeman.org/issues/33198 Since I can't spontaneous comment above, let me post the more considered version. The real bug is me hitting save too soon. Since ssh rex is the direction, and the release notes for 6.10 show that the next version of satellite will remove the agent, using katello agent feels more like a work around. Here's a better overview: The upstream project, Foreman, addressed this in issue #33198, which is to use the native ssh instead of net::ssh That translates into BZ issue #1872688, where it shows target milestone of 7.0. Based on the past cadence, we can hope for release of 7.0 to be near Summit which is usually in May.
I'm a bit lost, where are we suggesting to downgrade to katello agent? Is there a reason why (until 7.0 lands) you could not use ansible instead of "raw" ssh rex? It should have no issues with fips-enabled hosts and I'd say it is the only sane workaround for this BZ.
Verified on Satellite 7 snap 4, ssh type rex job is executed successfully against FIPS enabled RHEL8 host
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5498