2073567 – gpg-agent cannot handle ssh keys in FIPS

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2073567 - gpg-agent cannot handle ssh keys in FIPS

Summary: gpg-agent cannot handle ssh keys in FIPS

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	gnupg2
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Jelen
QA Contact:	Stanislav Zidek
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-04-08 20:26 UTC by Stanislav Zidek
Modified:	2023-11-07 10:38 UTC (History)
CC List:	1 user (show)
Fixed In Version:	gnupg2-2.3.3-3.el9
Doc Type:	Bug Fix
Doc Text:	.`gpg-agent` now works as an SSH agent in FIPS mode Previously, the `gpg-agent` tool created MD5 fingerprints when adding keys to the `ssh-agent` program even though FIPS mode disabled the MD5 digest. As a consequence, the `ssh-add` utility failed to add the keys to the authentication agent. With this release, `gpg-agent` no longer use MD5 checksums. As a result, `gpg-agent` now works as an SSH authentication agent also on systems running in FIPS mode.
Clone Of:
Environment:
Last Closed:	2023-11-07 08:43:37 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	CRYPTO-7318	None	None	None	2022-05-23 18:23:00 UTC
Red Hat Issue Tracker	RHELPLAN-118448	None	None	None	2022-04-08 20:27:58 UTC
Red Hat Product Errata	RHBA-2023:6597	None	None	None	2023-11-07 08:43:44 UTC

Description Stanislav Zidek 2022-04-08 20:26:59 UTC

Description of problem:
In FIPS mode, 'gpg-agent --daemon --enable-ssh-support' can add keys (ssh-add ...), but then gives 'The agent has no identities.' when trying to list them (ssh-add -l). 

Version-Release number of selected component (if applicable):
gnupg2-2.3.3-1.el9.x86_64
libgcrypt-1.10.0-3.el9.x86_64
openssh-8.7p1-8.el9.x86_64

How reproducible:
always

Steps to Reproduce:
1. dnf install -y pinentry-tty
2. ssh-keygen -f testkey -P ''
3. gpg-agent --daemon --enable-ssh-support >envs
4. source envs
5. ssh-add testkey
6. ssh-add -l

Actual results:

# ssh-add testkey
Please enter a passphrase to protect the received secret key
   SHA256:IHw/1uKMQBjUXcFZItMsF2wnWP4fWJuubkSJxSBgvZw
   root.local
within gpg-agent's key storage
Passphrase: 
Repeat: 
Identity added: testkey (root.local)

# ssh-add -l
The agent has no identities.


Expected results:

# ssh-add -l
3072 SHA256:IHw/1uKMQBjUXcFZItMsF2wnWP4fWJuubkSJxSBgvZw root.local (RSA)

Additional info:

Test /CoreOS/gnupg2/Regression/bz638635-gpg-agent-fails-to-encode-iteration-count-into-keys reproduces this issue.

Comment 1 Jakub Jelen 2022-04-11 14:13:51 UTC

The problem is caused by the gnupg2 trying to create MD5 fingerprint when writing the sshcontrol file in here:

  https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/command-ssh.c;h=a7784e728d9df7b37bdd1a6af73684ecb03e3b02;hb=HEAD#l1097

There is a workaround to add the entry to this file manually.

In long term, the gnupg should avoid using the md5 fingerprints in FIPS mode. It should be quite simple to avoid this, especially when this is used only in a comment describing the key.

Comment 2 Jakub Jelen 2022-04-13 14:15:45 UTC

Upstream issue: https://dev.gnupg.org/T5929

Comment 15 errata-xmlrpc 2023-11-07 08:43:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (gnupg2 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6597

Note You need to log in before you can comment on or make changes to this bug.