Project

General

Profile

Actions

action #119635

closed

[security] test fails in sshd

Added by punkioudi about 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Bugs in existing tests
Target version:
-
Start date:
2022-10-31
Due date:
% Done:

100%

Estimated time:
Difficulty:
Tags:

Description

Test died: command 'ssh -o kexalgorithms=diffie-hellman-group-exchange-sha1 sshboy@localhost bash -c 'whoami| grep sshboy'' failed

The issue happens both in SLE15-SP5 runs and SLE15-SP4 QU.

Investigate the issue. If it is a product bug, open an issue in bugzilla or if it is a test issue, fix it and provide verification runs.

Observation

openQA test in scenario sle-15-SP4-Online-QR-x86_64-fips_env_mode_tests_crypt_core@64bit fails in
sshd

Test suite description

Testsuite maintained at https://gitlab.suse.de/qe-security/osd-sle15-security.

Reproducible

Fails since (at least) Build 161.39

Expected result

Last good: (unknown) (or more recent)

Further details

Always latest result in this scenario: latest


Related issues 2 (0 open2 closed)

Related to openQA Tests (public) - action #116263: [security][fips] test fails in openjdk_fipsResolvedamanzini2022-09-06

Actions
Related to openQA Tests (public) - action #125648: [security] Run sshd FIPS tests only in kernel modeResolvedpstivanin

Actions
Actions #1

Updated by punkioudi about 2 years ago

  • Description updated (diff)
Actions #2

Updated by amanzini about 2 years ago

  • Assignee set to amanzini
Actions #3

Updated by amanzini about 2 years ago

  • Status changed from New to In Progress

First observation: the problem occurs because there is a mismatch between the Key Exchange offered by server:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4 (protocol 2.0)
| ssh2-enum-algos: 
|   kex_algorithms: (10)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|   server_host_key_algorithms: (5)

and the algorithms tried by the client:

diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521

in detail, diffie-hellman-group-exchange-sha1 is supported on the client but not offered nor supported by the server. See also https://bugzilla.suse.com/show_bug.cgi?id=1194134

Actions #4

Updated by punkioudi about 2 years ago

Hm then it should be also added in the today's report of SLE15SP5 Alpha version, wdyt @tjyrinki_suse?

Actions #5

Updated by amanzini about 2 years ago

  • Related to action #116263: [security][fips] test fails in openjdk_fips added
Actions #6

Updated by amanzini about 2 years ago

did some exploratory testing and looks like the same situation of poo116263; it seems that the underlying crypto library does not consider fips ENV mode. Same test done in FIPS KERNEL mode, passes.

Actions #7

Updated by amanzini about 2 years ago

  • Status changed from In Progress to Blocked
Actions #8

Updated by openqa_review about 2 years ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_core
https://openqa.suse.de/tests/10019717#step/sshd/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

Actions #11

Updated by openqa_review about 2 years ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_core
https://openqa.suse.de/tests/10019717#step/sshd/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

Actions #12

Updated by openqa_review about 2 years ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_core
https://openqa.suse.de/tests/10219395#step/sshd/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

Actions #13

Updated by tjyrinki_suse almost 2 years ago

This likely needs to be brought to the Thursday meeting similar to what was done with the openjdk.

Actions #14

Updated by msmeissn almost 2 years ago

i would guess reason is that ENV mode does not apply to the sshd. (as it does not get the environment variables).

again ENV mode is a secondary way to select FIPS mode, which is not the official way from the FIPS security policy documents.

Actions #15

Updated by openqa_review almost 2 years ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_core
https://openqa.suse.de/tests/10435833#step/sshd/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

Actions #16

Updated by tjyrinki_suse almost 2 years ago

  • Related to action #125648: [security] Run sshd FIPS tests only in kernel mode added
Actions #17

Updated by tjyrinki_suse almost 2 years ago

  • Status changed from Blocked to Resolved
  • % Done changed from 0 to 100

This can be set to Resolved as ticket #125648 follows it to unschedule sshd module from fips_env_mode*.

Actions #18

Updated by openqa_review almost 2 years ago

  • Status changed from Resolved to Feedback

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_core
https://openqa.suse.de/tests/10598956#step/sshd/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

Actions #19

Updated by amanzini almost 2 years ago

  • Status changed from Feedback to Workable
  • Assignee deleted (amanzini)

Seems we need to unschedule sshd also from fips_env_mode_tests_crypt_core

Actions #20

Updated by pstivanin almost 2 years ago

  • Status changed from Workable to In Progress
  • Assignee set to pstivanin
Actions #21

Updated by pstivanin almost 2 years ago

  • Status changed from In Progress to Resolved

this was already done. Don't know why the bot added a comment for a test that failed 23 days ago...

Actions #22

Updated by openqa_review over 1 year ago

  • Status changed from Resolved to Feedback

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_core
https://openqa.suse.de/tests/10598956#step/sshd/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

Actions #23

Updated by pstivanin over 1 year ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF