617227 – ssh on RHEL6 on s390x with enabled FIPS fails with enabled CPACF

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 617227 - ssh on RHEL6 on s390x with enabled FIPS fails with enabled CPACF

Summary: ssh on RHEL6 on s390x with enabled FIPS fails with enabled CPACF

Keywords:
Status:	CLOSED DUPLICATE of bug 618595
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	6.0
Hardware:	s390x
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jan F. Chadima
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:	Regression
Depends On:	618595
Blocks:
TreeView+	depends on / blocked

Reported:	2010-07-22 14:31 UTC by Miroslav Vadkerti
Modified:	2010-08-02 12:29 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-08-02 12:29:48 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Miroslav Vadkerti 2010-07-22 14:31:36 UTC

Description of problem:
When I try to connect to sshd running on s390x EL6 with FIPS the connection fails:

[mvadkert@freedom ~]$ ssh root@s390x_machine -v
OpenSSH_5.4p1, OpenSSL 1.0.0a-fips 1 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to s390x_machine [ipv6_addr] port 22.
debug1: connect to address ipv6_addr port 22: Network is unreachable
debug1: Connecting to s390x_machine  [ipv4_addr] port 22.
debug1: Connection established.
debug1: identity file /home/mvadkert/.ssh/id_rsa type -1
debug1: identity file /home/mvadkert/.ssh/id_rsa-cert type -1
debug1: identity file /home/mvadkert/.ssh/id_dsa type -1
debug1: identity file /home/mvadkert/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client 3des-cbc hmac-sha1 none
debug1: kex: client->server 3des-cbc hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
Connection closed by ipv4_addr

This works in RHEL5

Version-Release number of selected component (if applicable):
openssh-5.3p1-18.el6

How reproducible:
always

Steps to Reproduce:
1. ssh s390x_machine
  
Actual results:
ssh fails

Expected results:
ssh succeeds

Additional info:
I changed the hostname and ipv4/ipv6 addresses. 
As this works in EL5.5 I'm marking this as an regression.
Note this works on x86_64, this may be an s390x only bug

Comment 1 Miroslav Vadkerti 2010-07-27 08:37:35 UTC

I cannot reproduce this on FIPS enbled s390x without enabled 'crypto chip' (CPACF). Adjusting bug summary to reflect this.

Comment 3 Miroslav Vadkerti 2010-07-27 09:06:24 UTC

Very strange but I couldn't reproduce this again on s390 wit CPACF enabled with latest openssh-5.3p1-19.el6.s390x. Closing as not a bug.

Comment 5 Miroslav Vadkerti 2010-07-27 09:22:54 UTC

Only FIPS approved cryptographic algorithms are accepted by openssh running on FIPSwith enabled CPACF:

$ ssh -c arcfour128 root@auto-s390-002
no matching cipher found: client arcfour128 server aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc.se

Comment 7 Miroslav Vadkerti 2010-07-27 09:35:26 UTC

NOTE:
Comments 1-5 apply ONLY for OpenSSH in FIPS mode WITHOUT CPACF. 

Using CPACF in FIPS mode is broken in openssh-5.3p1-19.el6.s390x

Comment 8 Miroslav Vadkerti 2010-07-27 09:47:18 UTC

For log from client see comment 6/

Logs on server show this:

/var/log/messages:
Jul 27 05:42:45 auto-s390-002 sshd[3197]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key

/var/log/secure:
Jul 27 05:47:04 auto-s390-002 sshd[3210]: FIPS mode initialized

I will try to run sshd in debug mode

Comment 14 Tomas Mraz 2010-08-02 12:29:48 UTC

This is really a duplicate of the bug 618595.

If the ibmca engine for openssl and the HW is FIPS certified, then the engine must set proper flag for its RSA implementation method.

*** This bug has been marked as a duplicate of bug 618595 ***

Note You need to log in before you can comment on or make changes to this bug.