kolla

[FIPS] keystone_ssh | nova_ssh images fails with ssh key limitation

Bug #2032827 reported by Javier Diaz Jr
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
kolla
Confirmed
Low
Unassigned

Bug Description

OS Rocky Linux 9.2
Kernel 5.14.0-284.18.1.el9_2.x86_64
Kolla-Ansible: 16.1.0 (2023.1 Antelope)
Docker Version: Docker version 24.0.4, build 3713ee1
Docker image type: source
Docker images:

quay.io/openstack.kolla/keystone-ssh 2023.1-rocky-9 8a5df44c24bb 4 weeks ago 1.15GB
quay.io/openstack.kolla/nova-ssh 2023.1-rocky-9 ff342f52e262 4 weeks ago 1.36GB

The image itself works just fine in a non-FIPS compliant environment, but when FIPS is enabled the keystone-ssh and nova_ssh containers will error out with the following message:

```
++ SSH_HOST_KEY_TYPES=("rsa" "dsa" "ecdsa" "ed25519")
++ for key_type in ${SSH_HOST_KEY_TYPES[@]}
++ KEY_PATH=/etc/ssh/ssh_host_rsa_key
++ [[ ! -f /etc/ssh/ssh_host_rsa_key ]]
++ for key_type in ${SSH_HOST_KEY_TYPES[@]}
++ KEY_PATH=/etc/ssh/ssh_host_dsa_key
++ [[ ! -f /etc/ssh/ssh_host_dsa_key ]]
++ ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
DSA keys are not allowed in FIPS mode
```

This is hardcoded into the image: https://opendev.org/openstack/kolla/src/branch/stable/2023.1/docker/keystone/keystone-ssh/extend_start.sh

https://opendev.org/openstack/kolla/src/branch/stable/2023.1/docker/nova/nova-ssh/extend_start.sh

Workaround:
Custom image changing the key type.

Reproduce:

Deploy Kolla in an environment with FIPS enabled `fips-mode-setup --enable`.

I should note that while this works in non-FIPS clouds, this should be taken into serious consideration as there are a number of end users with FIPS requirements ramping up that will eventually run into this as time progresses.

Suggested Fix:

nova:

#!/bin/bash

# Remove "dsa" from the list as it's not FIPS compliant
SSH_HOST_KEY_TYPES=( "rsa" "ecdsa" "ed25519" )

for key_type in ${SSH_HOST_KEY_TYPES[@]}; do
    KEY_PATH=/etc/ssh/ssh_host_${key_type}_key

    # Check existing key lengths for RSA to ensure they are FIPS compliant
    if [[ -f "${KEY_PATH}" ]] && [[ "${key_type}" == "rsa" ]]; then
        key_length=$(ssh-keygen -l -f ${KEY_PATH} | awk '{print $1}')
        if [[ "${key_length}" -lt 2048 ]]; then
            echo "RSA key length is less than 2048 bits, regenerating..."
            rm -f "${KEY_PATH}"
            rm -f "${KEY_PATH}.pub"
        fi
    fi

    # Generate keys
    if [[ ! -f "${KEY_PATH}" ]]; then
        if [[ "${key_type}" == "rsa" ]]; then
            ssh-keygen -q -t ${key_type} -b 2048 -f ${KEY_PATH} -N ""
        elif [[ "${key_type}" == "ecdsa" ]]; then
            ssh-keygen -q -t ${key_type} -b 256 -f ${KEY_PATH} -N ""
        else
            ssh-keygen -q -t ${key_type} -f ${KEY_PATH} -N ""
        fi
    fi
done

mkdir -p /var/lib/nova/.ssh

if [[ $(stat -c %U:%G /var/lib/nova/.ssh) != "nova:nova" ]]; then
    chown nova: /var/lib/nova/.ssh
fi

keystone:

#!/bin/bash

# Remove "dsa" from the list as it's not FIPS compliant
SSH_HOST_KEY_TYPES=( "rsa" "ecdsa" "ed25519" )

for key_type in ${SSH_HOST_KEY_TYPES[@]}; do
    KEY_PATH=/etc/ssh/ssh_host_${key_type}_key

    # Check existing key lengths for RSA to ensure they are FIPS compliant
    if [[ -f "${KEY_PATH}" ]] && [[ "${key_type}" == "rsa" ]]; then
        key_length=$(ssh-keygen -l -f ${KEY_PATH} | awk '{print $1}')
        if [[ "${key_length}" -lt 2048 ]]; then
            echo "RSA key length is less than 2048 bits, regenerating..."
            rm -f "${KEY_PATH}"
            rm -f "${KEY_PATH}.pub"
        fi
    fi

    # Generate keys
    if [[ ! -f "${KEY_PATH}" ]]; then
        if [[ "${key_type}" == "rsa" ]]; then
            ssh-keygen -q -t ${key_type} -b 2048 -f ${KEY_PATH} -N ""
        elif [[ "${key_type}" == "ecdsa" ]]; then
            ssh-keygen -q -t ${key_type} -b 256 -f ${KEY_PATH} -N ""
        else
            ssh-keygen -q -t ${key_type} -f ${KEY_PATH} -N ""
        fi
    fi
done

mkdir -p /var/lib/keystone/.ssh

if [[ $(stat -c %U:%G /var/lib/keystone/.ssh) != "keystone:keystone" ]]; then
    sudo chown keystone: /var/lib/keystone/.ssh
fi

Maksim Malchuk (mmalchuk)
Changed in kolla:
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Javier Diaz Jr (javierdiazcharles) wrote :

Any progress on this?

Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

Feel free to submit a patch, otherwise I doubt that this will get fixed. Also note that the images that the project publishes on quay.io are only meant for demonstration and testing purposes, if you have any security requirements at all, you need to look into generating and using your own images.

Javier Diaz Jr (javierdiazcharles)
summary: - [FIPS] keystone_ssh | nova_ssh images fails with ssh key limitation Edit
+ [FIPS] keystone_ssh | nova_ssh images fails with ssh key limitation
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.