RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2070163 - openssh upstream testsuite fails in DEFAULT
Summary: openssh upstream testsuite fails in DEFAULT
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: openssh
Version: 9.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Dmitry Belyavskiy
QA Contact: Stanislav Zidek
Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-30 14:07 UTC by Stanislav Zidek
Modified: 2023-11-07 11:24 UTC (History)
4 users (show)

Fixed In Version: openssh-8.7p1-30.el9
Doc Type: Enhancement
Doc Text:
.OpenSSH further enforces SHA-2 As part of the effort to migrate further from the less secure SHA-1 message digest for cryptographic purposes, the following changes were made in OpenSSH: * Added a check on `sshd` startup whether using SHA-1 is configured on the system. If it is not available, OpenSSH does not try to use SHA-1 for operations. This eliminates loading DSS keys when they are present and also enforces advertising `rsa-sha2` combinations when they are available. * On SSH private key conversion, OpenSSH explicitly uses SHA-2 for testing RSA keys. * When SHA-1 signatures are unavailable on the server side, `sshd` uses SHA-2 to confirm host key proof. This might be incompatible with clients on RHEL 8 and earlier versions. * When the SHA-1 algorithm is unavailable on the client side, OpenSSH uses SHA-2. * On the client side, OpenSSH permits SHA-2-based key proofs from the server when SHA-1 was used in key proof request or when the hash algorithm is not specified (assuming default). This is aligned with the already present exception for RSA certificates, and allows connecting by using modern algorithms when supported.
Clone Of:
Environment:
Last Closed: 2023-11-07 08:52:54 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Gitlab redhat/centos-stream/rpms openssh merge_requests 44 0 None opened Make upstream test passed with DEFAULT crypto policy 2023-01-26 16:19:10 UTC
Red Hat Issue Tracker CRYPTO-9181 0 None None None 2022-12-22 16:01:31 UTC
Red Hat Issue Tracker RHELPLAN-117344 0 None None None 2022-03-30 14:13:05 UTC
Red Hat Product Errata RHBA-2023:6622 0 None None None 2023-11-07 08:53:08 UTC

Description Stanislav Zidek 2022-03-30 14:07:57 UTC 
Description of problem:
Upstream testsuite fails in DEFAULT policy. LEGACY works, indicating perhaps a SHA-1 related issue.

Version-Release number of selected component (if applicable):
openssh-8.7p1-8.el9

How reproducible:
always

Steps to Reproduce:
1. run upstream test suite yourself or /CoreOS/openssh/Sanity/selftest

Actual results:
...
do_convert_from_ssh2: private key conversion failed
0a1,15
> -----BEGIN RSA PRIVATE KEY-----
> MIICWgIBAAKBgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko
> +dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3
> xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQIDAQAB
> An8nH5VzvHkMbSqJ6eOYDsVwomRvYbH5IEaYl1x6VATITNvAu9kUdQ4NsSpuMc+7
> Jj9gKZvmO1y2YCKc0P/iO+i/eV0L+yQh1Rw18jQZll+12T+LZrKRav03YNvMx0gN
> wqWY48Kt6hv2/N/ebQzKRe79+D0t2cTh92hT7xENFLIBAkEBGnoGKFjAUkJCwO1V
> mzpUqMHpRZVOrqP9hUmPjzNJ5oBPFGe4+h1hoSRFOAzaNuZt8ssbqaLCkzB8bfzj
> qhZqAQJBANZekuUpp8iBLeLSagw5FkcPwPzq6zfExbhvsZXb8Bo/4SflNs4JHXwI
> 7SD9Z8aJLvM4uQ/5M70lblDMQ40i3o0CQQDIJvBYBFL5tlOgakq/O7yi+wt0L5BZ
> 9H79w5rCSAA0IHRoK/qI1urHiHC3f3vbbLk5UStfrqEaND/mm0shyNIBAkBLsYdC
> /ctt5Bc0wUGK4Vl5bBmj9LtrrMJ4FpBpLwj/69BwCuKoK9XKZ0h73p6XHveCEGRg
> PIlFX4MtaoLrwgU9AkBV2k4dgIws+X8YX65EsyyFjnlDqX4x0nSOjQB1msIKfHBr
> dh5XLDBTTCxnKhMJ0Yx/opgOvf09XHBFwaQntR5i
> -----END RSA PRIVATE KEY-----
make[1]: *** [Makefile:147: t1] Error 1

Expected results:
tests pass
Comment 17 Dmitry Belyavskiy 2023-04-20 15:53:16 UTC 
Summary of the changes

1. On sshd startup, we check whether signing using the SHA1 for signing is available and don't use it when it isn't.
2. On ssh private key conversion we explicitly use SHA2 for testing RSA keys.
3. In sshd, when SHA1 signatures are unavailable, we fallback (fall forward :) ) to SHA2 on host keys proof confirmation.
4. On a client side we permit SHA2-based proofs from server when requested SHA1 proof (or didn't specify the hash algorithm that implies SHA1 on the client side). It is aligned with already present exception for RSA certificates.
5. We fallback to SHA2 if SHA1 signatures is not available on the client side (file sshconnect2.c).
6. We skip dss-related tests (they don't work without SHA1).
Comment 31 errata-xmlrpc 2023-11-07 08:52:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openssh bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6622
Note You need to log in before you can comment on or make changes to this bug.