Description of problem: As per [1] GSI authentication is non-functional since GSI-OpenSSH 8.0p1 because the GSS key exchange functionality is broken for GSI since this version, the SHA1 based GSS group exchange functionality is still working, though. This was confirmed on x86_64 but should affaect all other architectures, too. [1]: https://github.com/openssh-gsskex/openssh-gsskex/issues/18 Version-Release number of selected component (if applicable): 8.0p1-6.el8 How reproducible: always Steps to Reproduce: Install [gsi-openssh-8.0p1-6.el8] server and clients. Configure `gsisshd` to listen on TCP port `2222`. Configure GSI (host cert and key, grid-mapfile) and create a GSI proxy certificate. Also install the test script from https://gist.github.com/fscheiner/92ea125c72cd70283a712585206c1015 which starts a `gsisshd` and tries to connect and authenticate via GSI to this GSI-OpenSSH server instance with `gsissh`. [gsi-openssh-8.0p1-6.el8]: https://kojipkgs.fedoraproject.org//packages/gsi-openssh/8.0p1/6.el8/x86_64/ ``` [johndoe@host ~]$ sudo bin/test-gss-kex-for-gsi-openssh.bash host.domain.tld johndoe2 ``` Actual results: Only GSS GEX method `gss-gex-sha1-` is working: ``` gsisshd: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS 28 May 2019 gsissh: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS 28 May 2019 Wait 3 seconds for startup of gsisshd ... gss-gex-sha1- OK gss-group1-sha1- Error gss-group14-sha256- Error gss-nistp256-sha256- Error gss-curve25519-sha256- Error gss-group16-sha512- Error [johndoe@host ~]$ yum info gsi-openssh [...] Installed Packages Name : gsi-openssh Version : 8.0p1 Release : 6.el8 Architecture : x86_64 Size : 1.9 M Source : gsi-openssh-8.0p1-6.el8.src.rpm [...] ``` Expected results: All GSS KEX/GEX methods (`gss-group1-sha1-`,`gss-group14-sha1-`,`gss-group14-sha256-`,`gss-group16-sha512-`,`gss-nistp256-sha256-`,`gss-curve25519-sha256-`,`gss-gex-sha1-`) are working: ``` gsisshd: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS 28 May 2019 gsissh: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS 28 May 2019 Wait 3 seconds for startup of gsisshd ... gss-gex-sha1- OK gss-group1-sha1- OK gss-group14-sha256- OK gss-nistp256-sha256- OK gss-curve25519-sha256- OK gss-group16-sha512- OK ``` Additional info: A fix based on [openssh-gsskex/openssh-gsskex#19] is available from here: https://gist.github.com/fscheiner/ec430514b28e4dad24516c66939a8945 [openssh-gsskex/openssh-gsskex#19]: https://github.com/openssh-gsskex/openssh-gsskex/pull/19
FEDORA-2021-81c8581192 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-81c8581192
FEDORA-EPEL-2021-5392fab667 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-5392fab667
FEDORA-2021-b09f187229 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-b09f187229
FEDORA-2021-fa267d8125 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-fa267d8125` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-fa267d8125 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-81c8581192 has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-81c8581192` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-81c8581192 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2021-5392fab667 has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-5392fab667 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-b09f187229 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-b09f187229` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-b09f187229 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-b09f187229 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-81c8581192 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-fa267d8125 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2021-5392fab667 has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-603d385ac3 has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2023-603d385ac3
FEDORA-2023-603d385ac3 has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.