action #119635
closed[security] test fails in sshd
100%
Description
Test died: command 'ssh -o kexalgorithms=diffie-hellman-group-exchange-sha1 sshboy@localhost bash -c 'whoami| grep sshboy'' failed
The issue happens both in SLE15-SP5 runs and SLE15-SP4 QU.
Investigate the issue. If it is a product bug, open an issue in bugzilla or if it is a test issue, fix it and provide verification runs.
Observation¶
openQA test in scenario sle-15-SP4-Online-QR-x86_64-fips_env_mode_tests_crypt_core@64bit fails in
sshd
Test suite description¶
Testsuite maintained at https://gitlab.suse.de/qe-security/osd-sle15-security.
Reproducible¶
Fails since (at least) Build 161.39
Expected result¶
Last good: (unknown) (or more recent)
Further details¶
Always latest result in this scenario: latest
Updated by amanzini about 2 years ago
- Status changed from New to In Progress
First observation: the problem occurs because there is a mismatch between the Key Exchange offered by server:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4 (protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms: (10)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| diffie-hellman-group14-sha1
| server_host_key_algorithms: (5)
and the algorithms tried by the client:
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
in detail, diffie-hellman-group-exchange-sha1 is supported on the client but not offered nor supported by the server. See also https://bugzilla.suse.com/show_bug.cgi?id=1194134
Updated by punkioudi about 2 years ago
Hm then it should be also added in the today's report of SLE15SP5 Alpha version, wdyt @tjyrinki_suse?
Updated by amanzini about 2 years ago
- Related to action #116263: [security][fips] test fails in openjdk_fips added
Updated by amanzini about 2 years ago
- Status changed from In Progress to Blocked
Updated by openqa_review about 2 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_core
https://openqa.suse.de/tests/10019717#step/sshd/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by openqa_review about 2 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_core
https://openqa.suse.de/tests/10019717#step/sshd/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by openqa_review about 2 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_core
https://openqa.suse.de/tests/10219395#step/sshd/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by tjyrinki_suse almost 2 years ago
This likely needs to be brought to the Thursday meeting similar to what was done with the openjdk.
Updated by msmeissn almost 2 years ago
i would guess reason is that ENV mode does not apply to the sshd. (as it does not get the environment variables).
again ENV mode is a secondary way to select FIPS mode, which is not the official way from the FIPS security policy documents.
Updated by openqa_review almost 2 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_core
https://openqa.suse.de/tests/10435833#step/sshd/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by tjyrinki_suse almost 2 years ago
- Related to action #125648: [security] Run sshd FIPS tests only in kernel mode added
Updated by tjyrinki_suse almost 2 years ago
- Status changed from Blocked to Resolved
- % Done changed from 0 to 100
This can be set to Resolved as ticket #125648 follows it to unschedule sshd module from fips_env_mode*.
Updated by openqa_review almost 2 years ago
- Status changed from Resolved to Feedback
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_core
https://openqa.suse.de/tests/10598956#step/sshd/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by amanzini almost 2 years ago
- Status changed from Feedback to Workable
- Assignee deleted (
amanzini)
Seems we need to unschedule sshd also from fips_env_mode_tests_crypt_core
Updated by pstivanin almost 2 years ago
- Status changed from Workable to In Progress
- Assignee set to pstivanin
Updated by pstivanin almost 2 years ago
- Status changed from In Progress to Resolved
this was already done. Don't know why the bot added a comment for a test that failed 23 days ago...
Updated by openqa_review over 1 year ago
- Status changed from Resolved to Feedback
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_core
https://openqa.suse.de/tests/10598956#step/sshd/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.