Description of problem: fips: I cannot register client into satellite and I cannot use rhn_check Version-Release number of selected component (if applicable): rhn-client-tools-0.4.20-53.el5 How reproducible: deterministic Steps to Reproduce: 0. enable FIPS mode # cat /proc/sys/crypto/fips_enabled 1 1. rhnreg_ks --username=admin --password=admin --server=http://<satellite>/XMLRPC --force -vv Exception exceptions.AttributeError: "'YumAction' object has no attribute 'preconf'" in <bound method YumAction.__del__ of <actions.packages.YumAction object at 0x3bd2610>> ignored 2. rhn_check -vv D: do_call packages.checkNeedUpdate ('rhnsd=1',) {} D: local action status: ((6,), 'Fatal error in Python code occured', {}) Exception exceptions.AttributeError: "'YumAction' object has no attribute 'preconf'" in <bound method YumAction.__del__ of <actions.packages.YumAction object at 0x1d041610>> ignored Actual results YumAction' object has no attribute 'preconf' Expected results: no warning, now error Additional info: [root@nec-em12 ~]# cat /proc/sys/crypto/fips_enabled 1 [root@nec-em12 ~]# uname -a Linux nec-em12.rhts.eng.bos.redhat.com 2.6.18-262.el5 #1 SMP Mon May 16 17:49:03 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
With RHEL 5.8, I did not see the problem: # rhnreg_ks --username=admin --password=admin --force -vv An error has occurred: Error Message: Invalid username/password combination Error Class Code: 2 Error Class Info: Invalid username and password combination. If you are using email address as a login, try using your associated login name instead. Explanation: An error has occurred while processing your request. If this problem persists please enter a bug report at bugzilla.redhat.com. If you choose to submit the bug report, please be sure to include details of what you were trying to do when this error occurred and details on how to reproduce this problem. See /var/log/up2date for more information # rhnreg_ks --username=my-existing-rhn-hosted-login --password=valid-password --force -vv # rpm -q rhn-client-tools rhn-client-tools-0.4.20-77.el5 # cat /proc/sys/crypto/fips_enabled 1 # uname -a Linux vmware200.englab.brq.redhat.com 2.6.18-308.el5 #1 SMP Fri Jan 27 17:21:15 EST 2012 i686 i686 i386 GNU/Linux #
Could you please check on your installation with RHEL 5.8, whether you still experience the issue?
I forgot to add - rhn_check, even stuff like upgrading packages, seems to work as well: # rhn_check -vv D: do_call packages.checkNeedUpdate ('rhnsd=1',) {} Loaded plugins: product-id, rhnplugin D: login(forceUpdate=False) invoked D: readCachedLogin invoked D: Checking pickled loginInfo, currentTime= 1342172405.8 , createTime= 1342170884.6 , expire-offset= 3600.0 D: readCachedLogin(): using pickled loginInfo set to expire at 1342174484.6 D: local action status: (0, 'rpm database not modified since last update (or package list recently updated)', {}) # rhn_check -vv D: check_action {'action': "<?xml version='1.0'?>\n<methodCall>\n<methodName>packages.update</methodName>\n<params>\n<param>\n<value><array><data>\n<value><array><data>\n<value><string>autofs</string></value>\n<value><string>5.0.1</string></value>\n<value><string>0.rc2.164.el5_8</string></value>\n<value><string>1</string></value>\n</data></array></value>\n</data></array></value>\n</param>\n</params>\n</methodCall>\n", 'version': 2, 'id': 219315542} updateLoginInfo() login info D: login(forceUpdate=True) invoked logging into up2date server D: writeCachedLogin() invoked D: Wrote pickled loginInfo at 1342172483.01 with expiration of 1342176083.01 seconds. successfully retrieved authentication token from up2date server D: logininfo: {'X-RHN-Server-Id': 1023125476, 'X-RHN-Auth-Server-Time': '1342165394.97', 'X-RHN-Auth': 'zSRwxXPzZz/kAhGPXTgPZQ==', 'X-RHN-Auth-Channels': [['rhel-i386-server-5', '20120713002936', '1', '1']], 'X-RHN-Auth-User-Id': '', 'X-RHN-Auth-Expire-Offset': '3600.0'} D: handle_action {'action': "<?xml version='1.0'?>\n<methodCall>\n<methodName>packages.update</methodName>\n<params>\n<param>\n<value><array><data>\n<value><array><data>\n<value><string>autofs</string></value>\n<value><string>5.0.1</string></value>\n<value><string>0.rc2.164.el5_8</string></value>\n<value><string>1</string></value>\n</data></array></value>\n</data></array></value>\n</param>\n</params>\n</methodCall>\n", 'version': 2, 'id': 219315542} D: handle_action actionid = 219315542, version = 2 D: do_call packages.update ([['autofs', '5.0.1', '0.rc2.164.el5_8', '1']],) {'cache_only': None} Loaded plugins: product-id, rhnplugin D: Called update [['autofs', '5.0.1', '0.rc2.164.el5_8', '1']] D: Dependencies Resolved D: Downloading Packages: warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 37017186 D: GPG check wasn't successful, will attempt to import key Importing GPG key 0x37017186 "Red Hat, Inc. (release key) <security>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release D: GPG key import was good. D: Running Transaction Test D: Finished Transaction Test D: Transaction Test Succeeded D: Running Transaction Installed products updated. Updating package profile D: Sending back response (0, 'Update Succeeded', {}) D: do_call packages.checkNeedUpdate ('rhnsd=1',) {} D: Called refresh_rpmlist Updating package profile D: local action status: (0, 'rpmlist refreshed', {}) #
So, the culprit is python-hashlib -- when it's installed, it prevents the OpenSSL operation and leads to digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored But it seems to be just a warning -- the rhnreg_ks finishes fine.
I'm not sure I understand why this is a bug in beaker or how it could be addressed. beah uses MD5 in numerous places, so that would be the culprit non-FIPS algorithm. But I don't see how they are related or what exactly triggers the error. Is rhnreg_ks importing/using hashlib and/or using MD5 simply because it's available? What algorithms does it use if python-hashlib isn't installed? Or does anything using non-FIPS algorithms anywhere on the system invalidate FIPS mode?
(In reply to comment #12) > Or does anything using non-FIPS algorithms anywhere on the system invalidate > FIPS mode? Yup. :-( I'm guessing that its because FIPS considers md5 to be insecure. So we can just not load it and send it in the clear and be FIPS compliant. I think the code will already handle not having md5 available.. maybe we just need to remove the dependency.
(In reply to comment #13) > (In reply to comment #12) > > > Or does anything using non-FIPS algorithms anywhere on the system invalidate > > FIPS mode? > > Yup. :-( > > I'm guessing that its because FIPS considers md5 to be insecure. So we can > just not load it and send it in the clear and be FIPS compliant. I can't see anywhere it's used apart from for checksums of uploaded files... > I think the code will already handle not having md5 available.. maybe we > just need to remove the dependency. beah already seems to support using different hashing algorithms (although the variable is still called md5sum). Setting DIGEST to SHA-{1,256,512} in beah_beaker.conf might be sufficient?
Patch was originally submitted to fix bug 1094365. It removes the dependency on python-hashlib: http://gerrit.beaker-project.org/#/c/3079/
This bug fix has been applied to the release-0.16 branch, however we have elected not to do another maintenance release of the 0.16.x series. This fix will be included in 0.17.0 instead.
Beah 0.7.5 has been released on beaker-project.org.