1893059 – Satellite 6.8 Remote Execution fails on RHEL 8.2 clients with DEFAULT:NO-SHA1 crypto policy

Bug 1893059 - Satellite 6.8 Remote Execution fails on RHEL 8.2 clients with DEFAULT:NO-SHA1 crypto policy

Summary: Satellite 6.8 Remote Execution fails on RHEL 8.2 clients with DEFAULT:NO-SHA1...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Remote Execution
Sub Component:
Version:	6.8.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	6.11.0
Assignee:	satellite6-bugs
QA Contact:	Peter Ondrejka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-10-30 00:53 UTC by Shane Boulden
Modified:	2023-04-13 16:40 UTC (History)
CC List:	4 users (show)
Fixed In Version:	tfm-rubygem-smart_proxy_remote_execution_ssh-0.5.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-07-05 14:28:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5498	0	None	None	None	2022-07-05 14:28:37 UTC

Description Shane Boulden 2020-10-30 00:53:31 UTC

Description of problem:
Remote Execution fails when RHEL 8.2 clients are configured with the DEFAULT:NO-SHA1 systemwide crypto policy

Version-Release number of selected component (if applicable):
satellite-6.8.0-1.el7sat.noarch
crypto-policies-20191128-2.git23e1bf1.el8.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Configure the NO-SHA1 crypto policy on a RHEL 8.2 client:
update-crypto-policies --set DEFAULT:NO-SHA1

2. From Satellite, copy foreman-proxy SSH keys to the client:
ssh-copy-id -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy.pub user.xx.xx

3. Verify SSH works:
ssh -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy user.xx.xx

4. Schedule a remote execution job from Satellite:
All hosts -> select host -> Schedule remote job
Job Category: Commands
Job template: Run Command - SSH Default
Command: hostname

Actual results:
Remote job fails

Expected results:
Remote job succeeds

Additional info:
Satellite reports the following in /var/log/foreman/production.log:

Parameters: {"callback"=>{"task_id"=>"f11391f0-e310-49bc-8ffa-7497e0b1cd38", "step_id"=>3}, "data"=>{"result"=>[{"output_type"=>"
debug", "output"=>"Error initializing command: Net::SSH::AuthenticationFailed - Authentication failed for user user.xx.xx", "timestamp"=>1604018256.3824
368}], "runner_id"=>"a82ae4db-f852-4790-8fa0-fed85c65e610", "exit_status"=>"EXCEPTION"}, "task"=>{}}

The client reports the following in /var/log/secure:
sshd[8898]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]

Disabling the NO-SHA1 policy enables remote execution to proceed:
update-crypto-policies --set DEFAULT
systemctl restart sshd

Comment 3 Adam Ruzicka 2020-11-02 11:11:54 UTC

Looks like the support for using rsa-sha2-256 and rsa-sha2-512 as PubkeyAcceptedKeyTypes is a bit wonky in the ssh library we use. I managed to reproduce the issue even with its latest version even though it should be fully supported there. Revived the issue there https://github.com/net-ssh/net-ssh/issues/712#issuecomment-720403946

Comment 5 Peter Ondrejka 2022-01-14 12:05:23 UTC

Verified on Satellite 7.0 snap 4, ssh type rex job ran successfully against RHEL8 host with DEFAULT:NO-SHA1 crypto policy enabled

Comment 8 errata-xmlrpc 2022-07-05 14:28:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498

Note You need to log in before you can comment on or make changes to this bug.