Bug 817066
| Summary: | QEMU should disable VNC password auth when in FIPS 140-2 mode | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Paul Moore <pmoore> | |
| Component: | qemu-kvm | Assignee: | Paul Moore <pmoore> | |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 6.5 | CC: | acathrow, areis, bsarathy, jrieden, juzhang, lnovich, mazhang, mkenneth, qzhang, rhod, sgrubb, virt-maint | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | qemu-kvm-0.12.1.2-2.361.el6 | Doc Type: | Bug Fix | |
| Doc Text: |
We should add a note to the release notes indicating that VNC password authentication is disabled when the system is operating in "FIPS mode".
|
Story Points: | --- | |
| Clone Of: | 805676 | |||
| : | 817067 (view as bug list) | Environment: | ||
| Last Closed: | 2013-11-21 05:45:29 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 805676, 854384 | |||
| Bug Blocks: | 691449, 817067 | |||
|
Description
Paul Moore
2012-04-27 15:02:25 UTC
We're late in the RHEL6.3 process and this is not critical, so I'm moving this to 6.4. If the patch is simple and necessary for the certification, feel free to add rhel-6.3.0? back, we can add it to 6.3 in a later snapshot (even via z-stream).
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
We should add a note to the release notes indicating that VNC password authentication is disabled when the system is operating in "FIPS mode".
With no progress yet upstream, I'm moving this to RHEL6.5. A fix for this has been accepted upstream and a backport for RHEL6 has been posted for internal review. Verify this bug on
host:
qemu-kvm-0.12.1.2-2.376.el6.x86_64
kernel-2.6.32-358.el6.x86_64
steps:
1. setup fips with the following steps
a. mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
b. Add “fips=1” to grub kernel boot line
c. reboot guest
d. # cat /proc/sys/crypto/fips_enabled
1
2. boot guest with:
/usr/libexec/qemu-kvm -hda test.qcow2 -monitor stdio -vnc :0,password
Result:
qemu prompt:
VNC password auth disabled due to FIPS mode, consider using the VeNCrypt or SASL authentication methods as an alternative
Failed to start VNC server on ':0,password'
reproduce this bug on
host:
qemu-kvm-0.12.1.2-2.356.el6.x86_64
kernel-2.6.32-358.el6.x86_64
steps:
1. setup fips with the following steps
a. mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
b. Add “fips=1” to grub kernel boot line
c. reboot guest
d. # cat /proc/sys/crypto/fips_enabled
1
2. boot guest with:
/usr/libexec/qemu-kvm -hda test.qcow2 -monitor stdio -vnc :0,password
Result:
qemu will boot up guest without error.
Verify steps should be: 1. setup fips with the following steps on HOST a. mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r) b. Add “fips=1” to grub kernel boot line 2. boot guest with: /usr/libexec/qemu-kvm -hda test.qcow2 -monitor stdio -vnc :0,password Result: qemu prompt: VNC password auth disabled due to FIPS mode, consider using the VeNCrypt or SASL authentication methods as an alternative Failed to start VNC server on ':0,password Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-1553.html |