action #161312
open[security][15-SP6] test fails in git
Added by amanzini about 2 months ago. Updated about 1 month ago.
0%
Description
updating ticket and insert in the backlog due to a different failure in git+ssh:
Cloning into 'qa2'...
/etc/crypto-policies/back-ends/openssh.config line 1: Bad SSH2 cipher spec 'aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr'.
/etc/crypto-policies/back-ends/openssh.config line 2: Bad SSH2 MAC spec 'hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512'.
/etc/crypto-policies/back-ends/openssh.config line 4: Bad SSH2 KexAlgorithms 'curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'.
/etc/crypto-policies/back-ends/openssh.config: terminating, 3 bad configuration options
Files
clipboard-202405311032-6zkpk.png (15.7 KB) clipboard-202405311032-6zkpk.png | amanzini, 2024-05-31 08:32 |
Updated by amanzini about 2 months ago
- Copied from action #160080: [security][15-SP6] test fails in git added
Updated by amanzini about 2 months ago · Edited
the problem seems related to openssl being initialized in FIPS mode (trough environment variable, not kernel setting)
but the ssh client configuration was not updated by crypto-policy scripts because they are not installed by fips_setup.pm when FIPS_ENV mode is enabled
Updated by amanzini about 2 months ago · Edited
The main issue here is that on ENV_MODE, nothing is setting up the correct configuration for services to reflect FIPS mode; it's not sufficient to set the environment vars because some algorithms need to be excluded in the ssh client configuration.
Updated by amanzini about 1 month ago
some debug output on a 15SP6;
plain ssh localhost login:
susetest:~ # ssh -v 0
OpenSSH_9.6p1, OpenSSL 3.1.4 24 Oct 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-suse.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: /etc/ssh/ssh_config line 31: include /usr/etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 33: Applying options for *
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-suse.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: /etc/ssh/ssh_config line 31: include /usr/etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 33: Applying options for *
debug1: Connecting to 0.0.0.0 [0.0.0.0] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.6
debug1: compat_banner: match: OpenSSH_9.6 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 0.0.0.0:22 as 'root'
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:i9SxQtZwhZuEHuJp1Tk85wKSgaMuSgQN8LJXkmDp19E
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '0.0.0.0' is known and matches the ED25519 host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: Sending SSH2_MSG_EXT_INFO
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512>
debug1: kex_ext_info_check_ver: publickey-hostbound@openssh.com=<0>
debug1: kex_ext_info_check_ver: ping@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512>
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Will attempt key: /root/.ssh/id_rsa
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_ed25519_sk
debug1: Will attempt key: /root/.ssh/id_xmss
debug1: Will attempt key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ecdsa_sk
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Trying private key: /root/.ssh/id_ed25519_sk
debug1: Trying private key: /root/.ssh/id_xmss
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
(root@0.0.0.0) Password:
Authenticated to 0.0.0.0 ([127.0.0.1]:22) using "keyboard-interactive".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching /root/.ssh/known_hosts for 0.0.0.0 / (none)
debug1: client_input_hostkeys: searching /root/.ssh/known_hosts2 for 0.0.0.0 / (none)
debug1: client_input_hostkeys: hostkeys file /root/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
debug1: Sending environment.
debug1: channel 0: setting env LC_MEASUREMENT = "it_IT.UTF-8"
debug1: channel 0: setting env LC_PAPER = "it_IT.UTF-8"
debug1: channel 0: setting env LC_MONETARY = "it_IT.UTF-8"
debug1: channel 0: setting env LANG = "en_US.UTF-8"
debug1: channel 0: setting env LC_ADDRESS = "it_IT.UTF-8"
debug1: channel 0: setting env LC_NUMERIC = "it_IT.UTF-8"
debug1: channel 0: setting env LC_TELEPHONE = "it_IT.UTF-8"
debug1: channel 0: setting env LC_TIME = "it_IT.UTF-8"
debug1: pledge: fork
Last login: Mon Jun 3 08:12:21 2024 from 192.168.122.1
susetest:~ # exitdebug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
logout
debug1: channel 0: free: client-session, nchannels 1
Connection to 0.0.0.0 closed.
Transferred: sent 5524, received 5580 bytes, in 5.0 seconds
Bytes per second: sent 1107.4, received 1118.6
debug1: Exit status 0
# rpm -qi crypto
# rpm -qi crypto-policies
Name : crypto-policies
Version : 20230920.570ea89
Release : 150600.1.9
Architecture: noarch
Install Date: lun 20 mag 2024, 08:11:29
Group : Productivity/Networking/Security
Size : 121769
License : LGPL-2.1-or-later
Signature : RSA/SHA256, ven 8 mar 2024, 12:45:41, Key ID f74f09bc3fa1d6ce
Source RPM : crypto-policies-20230920.570ea89-150600.1.9.src.rpm
Build Date : ven 8 mar 2024, 12:45:22
Build Host : h04-ch1a
Relocations : (not relocatable)
Packager : https://www.suse.com/
Vendor : SUSE LLC <https://www.suse.com/>
URL : https://gitlab.com/redhat-crypto/fedora-crypto-policies
Summary : System-wide crypto policies
Description :
This package provides pre-built configuration files with
cryptographic policies for various cryptographic back-ends,
such as SSL/TLS libraries.
Distribution: SUSE Linux Enterprise 15
``
Updated by amanzini about 1 month ago
- Status changed from New to Blocked
reproduced manually as well.