Project

General

Profile

action #119635

[security] test fails in sshd

Added by punkioudi 3 months ago. Updated 10 days ago.

Status:
Blocked
Priority:
High
Assignee:
amanzini
Category:
Bugs in existing tests
Target version:
-
Start date:
2022-10-31
Due date:
% Done:

0%

Estimated time:
Difficulty:
Tags:
fail

Description

Test died: command 'ssh -o kexalgorithms=diffie-hellman-group-exchange-sha1 sshboy@localhost bash -c 'whoami| grep sshboy'' failed

The issue happens both in SLE15-SP5 runs and SLE15-SP4 QU.

Investigate the issue. If it is a product bug, open an issue in bugzilla or if it is a test issue, fix it and provide verification runs.

Observation

openQA test in scenario sle-15-SP4-Online-QR-x86_64-fips_env_mode_tests_crypt_core@64bit fails in
sshd

Test suite description

Testsuite maintained at https://gitlab.suse.de/qe-security/osd-sle15-security.

Reproducible

Fails since (at least) Build 161.39

Expected result

Last good: (unknown) (or more recent)

Further details

Always latest result in this scenario: latest

Related issues

Related to openQA Tests - action #116263: [security][fips] test fails in openjdk_fipsFeedback2022-09-06

History

#1 Updated by punkioudi 3 months ago

  • Description updated (diff)

#2 Updated by amanzini 3 months ago

  • Assignee set to amanzini

#3 Updated by amanzini 3 months ago

  • Status changed from New to In Progress

First observation: the problem occurs because there is a mismatch between the Key Exchange offered by server:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4 (protocol 2.0)
| ssh2-enum-algos: 
|   kex_algorithms: (10)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|   server_host_key_algorithms: (5)

and the algorithms tried by the client:

diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521

in detail, diffie-hellman-group-exchange-sha1 is supported on the client but not offered nor supported by the server. See also https://bugzilla.suse.com/show_bug.cgi?id=1194134

#4 Updated by punkioudi 3 months ago

Hm then it should be also added in the today's report of SLE15SP5 Alpha version, wdyt tjyrinki_suse?

#5 Updated by amanzini 3 months ago

  • Related to action #116263: [security][fips] test fails in openjdk_fips added

#6 Updated by amanzini 3 months ago

did some exploratory testing and looks like the same situation of poo116263; it seems that the underlying crypto library does not consider fips ENV mode. Same test done in FIPS KERNEL mode, passes.

#7 Updated by amanzini 3 months ago

  • Status changed from In Progress to Blocked

#8 Updated by openqa_review 2 months ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_core
https://openqa.suse.de/tests/10019717#step/sshd/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

#11 Updated by openqa_review about 2 months ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_core
https://openqa.suse.de/tests/10019717#step/sshd/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

#12 Updated by openqa_review about 1 month ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_core
https://openqa.suse.de/tests/10219395#step/sshd/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

#13 Updated by tjyrinki_suse 10 days ago

This likely needs to be brought to the Thursday meeting similar to what was done with the openjdk.

#14 Updated by msmeissn 10 days ago

i would guess reason is that ENV mode does not apply to the sshd. (as it does not get the environment variables).

again ENV mode is a secondary way to select FIPS mode, which is not the official way from the FIPS security policy documents.

Also available in: Atom PDF