Bug 1938224 - GSS KEX broken beginning with GSI-OpenSSH 8.0p1
Summary: GSS KEX broken beginning with GSI-OpenSSH 8.0p1
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: gsi-openssh
Version: epel8
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Mattias Ellert
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-12 14:16 UTC by Frank Scheiner
Modified: 2023-10-24 17:52 UTC (History)
1 user (show)

Fixed In Version: gsi-openssh-8.5p1-1.fc34 gsi-openssh-8.3p1-5.fc32 gsi-openssh-8.4p1-6.fc33 gsi-openssh-8.0p1-7.el8
Doc Type: ---
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-03-21 00:21:28 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Frank Scheiner 2021-03-12 14:16:04 UTC 
Description of problem:

As per [1] GSI authentication is non-functional since GSI-OpenSSH 8.0p1 because the GSS key exchange functionality is broken for GSI since this version, the SHA1 based GSS group exchange functionality is still working, though. This was confirmed on x86_64 but should affaect all other architectures, too.

[1]: https://github.com/openssh-gsskex/openssh-gsskex/issues/18

Version-Release number of selected component (if applicable):

8.0p1-6.el8

How reproducible:

always

Steps to Reproduce:

Install [gsi-openssh-8.0p1-6.el8] server and clients. Configure `gsisshd` to listen on TCP port `2222`. Configure GSI (host cert and key, grid-mapfile) and create a GSI proxy certificate. Also install the test script from https://gist.github.com/fscheiner/92ea125c72cd70283a712585206c1015 which starts a `gsisshd` and tries to connect and authenticate via GSI to this GSI-OpenSSH server instance with `gsissh`.

[gsi-openssh-8.0p1-6.el8]: https://kojipkgs.fedoraproject.org//packages/gsi-openssh/8.0p1/6.el8/x86_64/

```
[johndoe@host ~]$ sudo bin/test-gss-kex-for-gsi-openssh.bash host.domain.tld johndoe2
```

Actual results:

Only GSS GEX method `gss-gex-sha1-` is working:

```
gsisshd: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS  28 May 2019
gsissh: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS  28 May 2019

Wait 3 seconds for startup of gsisshd ...

gss-gex-sha1- OK
gss-group1-sha1- Error
gss-group14-sha256- Error
gss-nistp256-sha256- Error
gss-curve25519-sha256- Error
gss-group16-sha512- Error

[johndoe@host ~]$ yum info gsi-openssh
[...]
Installed Packages
Name         : gsi-openssh
Version      : 8.0p1
Release      : 6.el8
Architecture : x86_64
Size         : 1.9 M
Source       : gsi-openssh-8.0p1-6.el8.src.rpm
[...]

```

Expected results:

All GSS KEX/GEX methods (`gss-group1-sha1-`,`gss-group14-sha1-`,`gss-group14-sha256-`,`gss-group16-sha512-`,`gss-nistp256-sha256-`,`gss-curve25519-sha256-`,`gss-gex-sha1-`) are working:

```
gsisshd: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS  28 May 2019
gsissh: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS  28 May 2019

Wait 3 seconds for startup of gsisshd ...

gss-gex-sha1- OK
gss-group1-sha1- OK
gss-group14-sha256- OK
gss-nistp256-sha256- OK
gss-curve25519-sha256- OK
gss-group16-sha512- OK
```

Additional info:

A fix based on [openssh-gsskex/openssh-gsskex#19] is available from here:

https://gist.github.com/fscheiner/ec430514b28e4dad24516c66939a8945

[openssh-gsskex/openssh-gsskex#19]: https://github.com/openssh-gsskex/openssh-gsskex/pull/19
Comment 1 Fedora Update System 2021-03-17 22:22:34 UTC 
FEDORA-2021-81c8581192 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-81c8581192
Comment 2 Fedora Update System 2021-03-17 22:22:36 UTC 
FEDORA-EPEL-2021-5392fab667 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-5392fab667
Comment 3 Fedora Update System 2021-03-17 22:22:37 UTC 
FEDORA-2021-b09f187229 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-b09f187229
Comment 4 Fedora Update System 2021-03-18 03:29:20 UTC 
FEDORA-2021-fa267d8125 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-fa267d8125`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-fa267d8125

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2021-03-18 03:42:52 UTC 
FEDORA-2021-81c8581192 has been pushed to the Fedora 32 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-81c8581192`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-81c8581192

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2021-03-18 04:48:15 UTC 
FEDORA-EPEL-2021-5392fab667 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-5392fab667

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2021-03-18 21:47:23 UTC 
FEDORA-2021-b09f187229 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-b09f187229`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-b09f187229

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2021-03-21 00:21:28 UTC 
FEDORA-2021-b09f187229 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2021-03-26 00:54:49 UTC 
FEDORA-2021-81c8581192 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Fedora Update System 2021-03-26 17:52:57 UTC 
FEDORA-2021-fa267d8125 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 11 Fedora Update System 2021-04-02 01:55:55 UTC 
FEDORA-EPEL-2021-5392fab667 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 12 Fedora Update System 2023-10-24 16:19:27 UTC 
FEDORA-2023-603d385ac3 has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2023-603d385ac3
Comment 13 Fedora Update System 2023-10-24 17:52:12 UTC 
FEDORA-2023-603d385ac3 has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.