cloud-init

Bug #2017761
Comment #3

Comment 3 for bug 2017761

Revision history for this message

Anirban Sinha (anisinha) wrote on 2023-04-28:

> Given that the related PR is trying to avoid both DSA and ED25519 keys, I just wanted to confirm Redhat is seeing failures for ssh-keygen of both ed25519 and DSA keys.

> running the following should give us that confirmation:
egrep 'WARN|ssh-keygen|Stderr:' /var/log/cloud-init.log

We have this documented here:
https://access.redhat.com/solutions/3643252

On a FIPS-enforcing system, the following key types are only available:
ecdsa | rsa
The following key types are not available on a FIPS-enforcing system:
dsa | ed25519

But also here goes:

[root@ani-rhel9vm cloud]# grep -R ssh_genkeytypes *
cloud.cfg:ssh_genkeytypes: ['rsa', 'dsa', 'ecdsa', 'ed25519']
[root@ani-rhel9vm cloud]# pwd
/etc/cloud
# egrep 'WARN|ssh-keygen|Stderr:' /var/log/cloud-init.log
2023-04-28 04:43:15,393 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t', 'rsa', '-N', '', '-f', '/etc/ssh/ssh_host_rsa_key'] with allowed return codes [0] (shell=False, capture=True)
2023-04-28 04:43:16,651 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t', 'dsa', '-N', '', '-f', '/etc/ssh/ssh_host_dsa_key'] with allowed return codes [0] (shell=False, capture=True)
2023-04-28 04:43:16,682 - util.py[WARNING]: Failed generating key type dsa to file /etc/ssh/ssh_host_dsa_key
Command: ['ssh-keygen', '-t', 'dsa', '-N', '', '-f', '/etc/ssh/ssh_host_dsa_key']
Stderr: DSA keys are not allowed in FIPS mode
2023-04-28 04:43:16,685 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t', 'ecdsa', '-N', '', '-f', '/etc/ssh/ssh_host_ecdsa_key'] with allowed return codes [0] (shell=False, capture=True)
2023-04-28 04:43:16,718 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t', 'ed25519', '-N', '', '-f', '/etc/ssh/ssh_host_ed25519_key'] with allowed return codes [0] (shell=False, capture=True)
2023-04-28 04:43:16,748 - util.py[WARNING]: Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key
Command: ['ssh-keygen', '-t', 'ed25519', '-N', '', '-f', '/etc/ssh/ssh_host_ed25519_key']
Stderr: ED25519 keys are not allowed in FIPS mode

> One inconsistency I'm seeing on Ubuntu FIPS systems is that ssh-keygen of ED25519 type seems to be allowed. So, it may not be as simple as avoiding ssh-keygen of both DSA and ED25519 key types.

As I have mentioned in the bug report, the error comes from a patch applied in Fedora. So all recent red hat distros are affected. Ubuntu ssh-keygen may not be affected by the warning/error but I believe the core issue is that those keys are not allowed in fips mode in general. Whether cannonical wants to add a similar warning to ssh-keygen is a matter I leave on to the cannonical devs.

> Given that the related PR is trying to avoid both DSA and ED25519 keys, I just wanted to confirm Redhat is seeing failures for ssh-keygen of both ed25519 and DSA keys.

> running the following should give us that confirmation:
  egrep 'WARN|ssh-keygen|Stderr:' /var/log/cloud-init.log

We have this documented here:
https://access.redhat.com/solutions/3643252

On a FIPS-enforcing system, the following key types are only available:
ecdsa | rsa 
The following key types are not available on a FIPS-enforcing system:
dsa | ed25519

But also here goes:

[root@ani-rhel9vm cloud]# grep -R ssh_genkeytypes *
cloud.cfg:ssh_genkeytypes:  ['rsa', 'dsa', 'ecdsa', 'ed25519']
[root@ani-rhel9vm cloud]# pwd
/etc/cloud
# egrep 'WARN|ssh-keygen|Stderr:' /var/log/cloud-init.log
2023-04-28 04:43:15,393 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t', 'rsa', '-N', '', '-f', '/etc/ssh/ssh_host_rsa_key'] with allowed return codes [0] (shell=False, capture=True)
2023-04-28 04:43:16,651 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t', 'dsa', '-N', '', '-f', '/etc/ssh/ssh_host_dsa_key'] with allowed return codes [0] (shell=False, capture=True)
2023-04-28 04:43:16,682 - util.py[WARNING]: Failed generating key type dsa to file /etc/ssh/ssh_host_dsa_key
Command: ['ssh-keygen', '-t', 'dsa', '-N', '', '-f', '/etc/ssh/ssh_host_dsa_key']
Stderr: DSA keys are not allowed in FIPS mode
2023-04-28 04:43:16,685 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t', 'ecdsa', '-N', '', '-f', '/etc/ssh/ssh_host_ecdsa_key'] with allowed return codes [0] (shell=False, capture=True)
2023-04-28 04:43:16,718 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t', 'ed25519', '-N', '', '-f', '/etc/ssh/ssh_host_ed25519_key'] with allowed return codes [0] (shell=False, capture=True)
2023-04-28 04:43:16,748 - util.py[WARNING]: Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key
Command: ['ssh-keygen', '-t', 'ed25519', '-N', '', '-f', '/etc/ssh/ssh_host_ed25519_key']
Stderr: ED25519 keys are not allowed in FIPS mode

> One inconsistency I'm seeing on Ubuntu FIPS systems is that ssh-keygen of ED25519 type seems to be allowed. So, it may not be as simple as avoiding ssh-keygen of both DSA and ED25519 key types.