Ubuntu
uvtool package

DSA keys are not allowed in FIPS

Bug #1936473 reported by Christian Ehrhardt 
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
uvtool (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

if running on a FIPS system I get:

+ uvt-kvm create --memory 2048 --cpu 4 --disk 16 --password=ubuntu bionic-kvm release=bionic arch=amd64 label=daily
Warning: using --password from the command line is not secure and should be used for debugging only.
DSA keys are not allowed in FIPS mode^M
Traceback (most recent call last):
  File "/usr/bin/uvt-kvm", line 35, in <module>
    uvtool.libvirt.kvm.main_cli_wrapper(sys.argv[1:])
  File "/usr/lib/python2.7/dist-packages/uvtool/libvirt/kvm.py", line 861, in main_cli_wrapper
    main(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/uvtool/libvirt/kvm.py", line 856, in main
    args.func(parser, args)
  File "/usr/lib/python2.7/dist-packages/uvtool/libvirt/kvm.py", line 643, in main_create
    ssh_host_keys, ssh_known_hosts = uvtool.ssh.generate_ssh_host_keys()
  File "/usr/lib/python2.7/dist-packages/uvtool/ssh.py", line 50, in generate_ssh_host_keys
    _keygen(key_type, private_path)
  File "/usr/lib/python2.7/dist-packages/uvtool/ssh.py", line 34, in _keygen
    '-C', 'root@localhost'
  File "/usr/lib/python2.7/subprocess.py", line 190, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['ssh-keygen', '-q', '-f', '/tmp/uvt-kvm.sshtmpVhmPlF/dsa', '-N', '', '-t', 'dsa', '-C', 'root@localhost']' returned non-zero exit status 255

I also was told that elliptic curves are disallowed.
Could we switch the default to the common RSA to make this work in a FIPS environment?

Related branches

~adam-retter/ubuntu/+source/uvtool:emu-riscv64
Robie Basak: Needs Resubmitting
Ubuntu Sponsors: Pending requested
Diff: 86 lines (+39/-0) (has conflicts)
4 files modified
setup.py (+5/-0)
template-emu-riscv64.xml (+21/-0)
uvtool/libvirt/__init__.py (+8/-0)
uvtool/libvirt/kvm.py (+5/-0)
~paelzer/uvtool:fips-forbids-dsa
Robie Basak: Needs Fixing
Diff: 26 lines (+8/-1)
1 file modified
uvtool/ssh.py (+8/-1)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

We iterate over
 KEY_TYPES = ['rsa', 'dsa', 'ecdsa', 'ed25519']
maybe we can ignore errors as long as one works?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package uvtool - 0~git178-0ubuntu1

---------------
uvtool (0~git178-0ubuntu1) jammy; urgency=medium

  [ Christian Ehrhardt ]
  * Default to "as close as possible to the host CPU" for the guest CPU model,
    and allow overriding it with --cpu-model (LP: #1869185).
  * Support ssh key types other than dsa for FIPS systems that do not permit it
    (LP: #1936473).
  * Switch IP guessing to libvirt-python.

  [ Andrea Righi ]
  * Drop 'ps2' from the armhf template since this bus is not available there
    (LP: #1956366).

 -- Robie Basak <email address hidden> Thu, 24 Feb 2022 22:02:02 +0000

Changed in uvtool (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.