Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2087915

Summary: ssh-ed25519 and sk-ssh-ed25519 hostkeyalgorithms supported in FIPS
Product: Red Hat Enterprise Linux 9 Reporter: Ondrej Moriš <omoris>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: asosedki, jjelen, mhavrila
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 11:21:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2022-07-25   

Description Ondrej Moriš 2022-05-18 14:23:49 UTC 
Description of problem:

In FIPS mode the following hostkeyalgorithms are supported and they (most likely) should not be:

 * ssh-ed25519-cert-v01 
 * sk-ssh-ed25519-cert-v01 
 * sk-ecdsa-sha2-nistp256-cert-v01
 * sk-ssh-ed25519
 * sk-ecdsa-sha2-nistp256
 * ssh-ed25519

Please notice that in the other crypto configuration (casignaturealgorithms, hostbasedacceptedalgorithms and pubkeyacceptedalgorithms) we don't allow any ot these algorithms. Hence unless there is a specific reason to allow them for hostkeyalgorithms I don't think they should be there.

Version-Release number of selected component (if applicable):

openssh-8.7p1-8.el9
crypto-policies-20220223-1.git5203b41.el9_0.1

How reproducible:

100%

Steps to Reproduce:

1. Enable FIPS mode.
   # fips-mode-setup --enable && reboot

2. List the supported hostkeyalgorithms.
   # ssh -G localhost | grep hostkeyalgorithms

Actual results:

hostkeyalgorithms ssh-ed25519-cert-v01,ecdsa-sha2-nistp256-cert-v01,ecdsa-sha2-nistp384-cert-v01,ecdsa-sha2-nistp521-cert-v01,sk-ssh-ed25519-cert-v01,sk-ecdsa-sha2-nistp256-cert-v01,rsa-sha2-512-cert-v01,rsa-sha2-256-cert-v01,ssh-rsa-cert-v01,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519,sk-ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa

Expected results:

ostkeyalgorithms ecdsa-sha2-nistp256-cert-v01,ecdsa-sha2-nistp384-cert-v01,ecdsa-sha2-nistp521-cert-v01,rsa-sha2-512-cert-v01,rsa-sha2-256-cert-v01,ssh-rsa-cert-v01,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa

(unless it is stated otherwise)
Comment 1 Jakub Jelen 2022-05-19 16:20:36 UTC 
This looks to me like a dupplicate of bug #2053424 -- Ondro, can you check?

There is nothing wrong with the `sk-ecdsa-sha2-nistp256*` keys though ...
Comment 2 Dmitry Belyavskiy 2022-05-19 17:17:29 UTC 
Jakub, sorry, I'm not sure. 

When we use OpenSSL implementation, we rely on FIPS certified code. When we use sk-*, we rely on hw provided code that may be (and may be not) certified. Am I correct?
Comment 3 Jakub Jelen 2022-05-20 08:18:01 UTC 
Oh, right. I think this will require some clarification before going to final conclusions. There are certainly some FIDO U2F tokens that are FIPS 140-2 certified, either from Yubico or from other vendors. Here is one for Yubikey, which mentions the certified cryptographic module is used for FIDO/U2F:

https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3907.pdf

The FIDO specifications mention the FIPS 140-2 or -3 in several places so allowing this in FIPS will most likely have some caveats and most likely will require some modifications to the OpenSSH or sk-usbhid.c to satisfy these requirements.

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-feature-descriptions-alwaysUv-authnr-actions

I will be looking into this a bit more in coming months because of the GSoC project for libssh so I can have a better look into this.
Comment 4 Ondrej Moriš 2022-05-23 09:02:44 UTC 
BZ#2053424 looks a bit different, this one is most likely a bug in the defaults (or in crypto-policies).
Comment 5 Dmitry Belyavskiy 2022-05-23 09:32:45 UTC 
Looks like a bug in crypto-policies to me. Alex, do you agree?

But I don't think we should enable these algorithms in FIPS mode, see https://bugzilla.redhat.com/show_bug.cgi?id=2087915#c2 for justification. Probably a CP FIPS:SK?
Comment 6 Alexander Sosedkin 2022-05-24 08:28:20 UTC 
code pointer:
  openssh config generator currently does not specify
  HostKeyAlgorithms in the client configuration
  with the following justification:

  # As OpenSSH currently ignores existing known host
  # entries with this setting we cannot use it on client.
  # Otherwise we could break existing users.

  https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/blob/ca01c3e80989f83cc6a0bc61b3a4e997f19ee5ee/python/policygenerators/openssh.py#L196

What is this concern? Is it still a valid concern?
Comment 7 Jakub Jelen 2022-05-25 07:56:16 UTC 
Yes, still the case. I think we have some known issue bug for that and upstream bug for that: https://bugzilla.mindrot.org/show_bug.cgi?id=2924

But not merged upstream and not brought downstream as it sounds quite risky.

Right now, if we would just define HostKeyAlgorithms in client configuration, the order from c-p would have higher priority than the existing known_hosts files on the client and if the client already has different key in known_hosts than is the first one from c-p, he would get false-positive warnings about hostkey change.
Comment 8 Dmitry Belyavskiy 2022-06-08 11:06:47 UTC 
We can have FIPS-compliant tokens we may want to deal with, and in these keys it's up to the client.

We want to hardcode disabling (sk-)ed25519 in FIPS mode and leave sk-ecdsa as an option
Comment 15 Marek Havrila 2022-07-19 12:21:29 UTC 
*** Bug 2053424 has been marked as a duplicate of this bug. ***
Comment 18 errata-xmlrpc 2022-11-15 11:21:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openssh bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8375