[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925
Author: dparmar18
Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the
default configuration in FIPS mode
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5925/head:pr5925
git checkout pr5925
From a6d06efaa51188f9ac7b2c4e8a5d1db1ad1621fd Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Thu, 16 Dec 2021 20:42:47 +0530
Subject: [PATCH 1/2] TEST: Current value of ssh_hash_known_hosts causes error
in the default configuration in FIPS mode.
Explanation
- In SSSD the default value for ssh_hash_known_hosts is set to true,
It should be changed to false for consistency with the OpenSSH
setting that does not hashes host names by default
Verifies
Issue: https://github.com/SSSD/sssd/issues/5848
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
---
src/tests/multihost/ipa/test_misc.py | 83
1 file changed, 83 insertions(+)
diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index 2c25cd0b1e..3a30d3fcfd 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -303,3 +303,86 @@ def test_authentication_indicators(self, multihost):
' |tail -10')
ssh.close()
assert 'indicators: 2' in search.stdout_text
+
+def test_ssh_hash_knownhosts(self, multihost, reset_password,
+ setup_ipa_client, backupsssdconf):
+"""
+:title: Current value of ssh_hash_known_hosts causes error in
+ the default configuration in FIPS mode.
+:description: In SSSD the default value for ssh_hash_known_hosts
+ is set to true, It should be changed to false for consistency with
+ the OpenSSH setting that does not hashes host names by default
+:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
+:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22
+:customerscenario: false
+:steps:
+1. Stop SSSD
+2. Configure SSSD with ssh having default value of
+ ssh_hash_known_hosts / ssh_hash_known_hosts = True /
+ ssh_hash_known_hosts = False
+3. Remove /var/lib/sss/pubconf/known_hosts file
+4. Start SSSD
+5. Perform SSH using IPA user
+6. Check if hostnames are hashed/unhashed in
+ /var/lib/sss/pubconf/known_hosts
+:expectedresults:
+1. Should succeed
+2. Should succeed
+3. Should succeed
+4. Should succeed
+5. Should succeed
+6. Hostnames should be hashed/unhashed as per the value of
+ ssh_hash_known_hosts
+"""
+tools = sssdTools(multihost.client[0])
+server_host = multihost.master[0].sys_hostname
+rm_host_keys = "rm -rf /tmp/ssh_host0003_rsa*"
+rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts"
+view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts"
+# adding host to IPA server
+multihost.master[0].run_command(r"ssh-keygen -q -t rsa -N '' -C '' "
+r"-f /tmp/ssh_host0003_rsa")
+multihost.master[0].run_command("ipa host-mod %s --sshpubkey="
+"\"$(cat /tmp/ssh_host0003_rsa.pub)\" "
+"--updatedns"
+% multihost.client[0].sys_hostname)
+
+def check_hostname_hash(hash_value=None):
+# no hash_value or hash_value = True or hash_value = False
+multihost.client[0].service_sssd("stop")
+if hash_value is None:
+sssd_conf_cmd = multihost.client[0].\
+run_command("cat /etc/sssd/sssd.conf")
+sssd_conf = str(sssd_conf_cmd.stdout_text).strip()
+if "ssh_hash_known_hosts" in sssd_conf:
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": ""}
+tools.sssd_conf(ssh_section, ssh_param, action="delete")
+if hash_value is not None:
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": hash_value}
+tools.sssd_conf(ssh_section, ssh_param, action="update")
+multihost.client[0].run_command(rm_known_hosts)
+multihost.client[0].service_sssd("start")
+cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host
+# key added when performing SSH
+multihost.client[0].run_command(cmd, stdin_text="Secret123",
+raiseonerr=False)
+known_hosts = multihost.client[0].run_command(view_known_hosts)
+if server_host in
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925
Author: dparmar18
Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the
default configuration in FIPS mode
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5925/head:pr5925
git checkout pr5925
From a6d06efaa51188f9ac7b2c4e8a5d1db1ad1621fd Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Thu, 16 Dec 2021 20:42:47 +0530
Subject: [PATCH] TEST: Current value of ssh_hash_known_hosts causes error in
the default configuration in FIPS mode.
Explanation
- In SSSD the default value for ssh_hash_known_hosts is set to true,
It should be changed to false for consistency with the OpenSSH
setting that does not hashes host names by default
Verifies
Issue: https://github.com/SSSD/sssd/issues/5848
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
---
src/tests/multihost/ipa/test_misc.py | 83
1 file changed, 83 insertions(+)
diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index 2c25cd0b1e..3a30d3fcfd 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -303,3 +303,86 @@ def test_authentication_indicators(self, multihost):
' |tail -10')
ssh.close()
assert 'indicators: 2' in search.stdout_text
+
+def test_ssh_hash_knownhosts(self, multihost, reset_password,
+ setup_ipa_client, backupsssdconf):
+"""
+:title: Current value of ssh_hash_known_hosts causes error in
+ the default configuration in FIPS mode.
+:description: In SSSD the default value for ssh_hash_known_hosts
+ is set to true, It should be changed to false for consistency with
+ the OpenSSH setting that does not hashes host names by default
+:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
+:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22
+:customerscenario: false
+:steps:
+1. Stop SSSD
+2. Configure SSSD with ssh having default value of
+ ssh_hash_known_hosts / ssh_hash_known_hosts = True /
+ ssh_hash_known_hosts = False
+3. Remove /var/lib/sss/pubconf/known_hosts file
+4. Start SSSD
+5. Perform SSH using IPA user
+6. Check if hostnames are hashed/unhashed in
+ /var/lib/sss/pubconf/known_hosts
+:expectedresults:
+1. Should succeed
+2. Should succeed
+3. Should succeed
+4. Should succeed
+5. Should succeed
+6. Hostnames should be hashed/unhashed as per the value of
+ ssh_hash_known_hosts
+"""
+tools = sssdTools(multihost.client[0])
+server_host = multihost.master[0].sys_hostname
+rm_host_keys = "rm -rf /tmp/ssh_host0003_rsa*"
+rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts"
+view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts"
+# adding host to IPA server
+multihost.master[0].run_command(r"ssh-keygen -q -t rsa -N '' -C '' "
+r"-f /tmp/ssh_host0003_rsa")
+multihost.master[0].run_command("ipa host-mod %s --sshpubkey="
+"\"$(cat /tmp/ssh_host0003_rsa.pub)\" "
+"--updatedns"
+% multihost.client[0].sys_hostname)
+
+def check_hostname_hash(hash_value=None):
+# no hash_value or hash_value = True or hash_value = False
+multihost.client[0].service_sssd("stop")
+if hash_value is None:
+sssd_conf_cmd = multihost.client[0].\
+run_command("cat /etc/sssd/sssd.conf")
+sssd_conf = str(sssd_conf_cmd.stdout_text).strip()
+if "ssh_hash_known_hosts" in sssd_conf:
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": ""}
+tools.sssd_conf(ssh_section, ssh_param, action="delete")
+if hash_value is not None:
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": hash_value}
+tools.sssd_conf(ssh_section, ssh_param, action="update")
+multihost.client[0].run_command(rm_known_hosts)
+multihost.client[0].service_sssd("start")
+cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host
+# key added when performing SSH
+multihost.client[0].run_command(cmd, stdin_text="Secret123",
+raiseonerr=False)
+known_hosts = multihost.client[0].run_command(view_known_hosts)
+if server_host in known_hosts.stdout_text:
+
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925
Author: dparmar18
Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the
default configuration in FIPS mode
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5925/head:pr5925
git checkout pr5925
From b0a2085a7d8af6038e99e0832999ecf8f4eae556 Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Thu, 16 Dec 2021 20:42:47 +0530
Subject: [PATCH 1/2] TEST: Current value of ssh_hash_known_hosts causes error
in the default configuration in FIPS mode.
Explanation
- In SSSD the default value for ssh_hash_known_hosts is set to true,
It should be changed to false for consistency with the OpenSSH
setting that does not hashes host names by default
Verifies
Issue: https://github.com/SSSD/sssd/issues/5848
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
---
src/tests/multihost/ipa/test_misc.py | 83
1 file changed, 83 insertions(+)
diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index 2c25cd0b1e..d2561b845a 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -303,3 +303,86 @@ def test_authentication_indicators(self, multihost):
' |tail -10')
ssh.close()
assert 'indicators: 2' in search.stdout_text
+
+def test_ssh_hash_knownhosts(self, multihost, reset_password,
+ setup_ipa_client, backupsssdconf):
+"""
+:title: Current value of ssh_hash_known_hosts causes error in
+ the default configuration in FIPS mode.
+:description: In SSSD the default value for ssh_hash_known_hosts
+ is set to true, It should be changed to false for consistency with
+ the OpenSSH setting that does not hashes host names by default
+:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
+:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22
+:customerscenario: false
+:steps:
+1. Stop SSSD
+2. Configure SSSD with ssh having default value of
+ ssh_hash_known_hosts / ssh_hash_known_hosts = True /
+ ssh_hash_known_hosts = False
+3. Remove /var/lib/sss/pubconf/known_hosts file
+4. Start SSSD
+5. Perform SSH using IPA user
+6. Check if hostnames are hashed/unhashed in
+ /var/lib/sss/pubconf/known_hosts
+:expectedresults:
+1. Should succeed
+2. Should succeed
+3. Should succeed
+4. Should succeed
+5. Should succeed
+6. Hostnames should be hashed/unhashed as per the value of
+ ssh_hash_known_hosts
+"""
+tools = sssdTools(multihost.client[0])
+server_host = multihost.master[0].sys_hostname
+rm_host_keys = "rm -rf /tmp/ssh_host0003_rsa*"
+rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts"
+view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts"
+# adding host to IPA server
+multihost.master[0].run_command(r"ssh-keygen -q -t rsa -N '' -C '' -f /tmp/ssh_host0003_rsa")
+multihost.master[0].run_command("ipa host-mod %s --sshpubkey="
+"\"$(cat /tmp/ssh_host0003_rsa.pub)\" "
+"--updatedns"
+% multihost.client[0].sys_hostname)
+
+def check_hostname_hash(hash_value=None):
+# no hash_value or hash_value = True or hash_value = False
+multihost.client[0].service_sssd("stop")
+if hash_value is None:
+sssd_conf_cmd = multihost.client[0].\
+run_command("cat /etc/sssd/sssd.conf")
+sssd_conf = str(sssd_conf_cmd.stdout_text).strip()
+if "ssh_hash_known_hosts" in sssd_conf:
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": ""}
+tools.sssd_conf(ssh_section, ssh_param, action="delete")
+if hash_value is not None:
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": hash_value}
+tools.sssd_conf(ssh_section, ssh_param, action="update")
+multihost.client[0].run_command(rm_known_hosts)
+multihost.client[0].service_sssd("start")
+cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host
+# key added when performing SSH
+multihost.client[0].run_command(cmd, stdin_text="Secret123",
+raiseonerr=False)
+known_hosts = multihost.client[0].run_command(view_known_hosts)
+if server_host in known_hosts.stdout_text:
+flag = 0 # hostname not
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925
Author: dparmar18
Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the
default configuration in FIPS mode
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5925/head:pr5925
git checkout pr5925
From b0a2085a7d8af6038e99e0832999ecf8f4eae556 Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Thu, 16 Dec 2021 20:42:47 +0530
Subject: [PATCH] TEST: Current value of ssh_hash_known_hosts causes error in
the default configuration in FIPS mode.
Explanation
- In SSSD the default value for ssh_hash_known_hosts is set to true,
It should be changed to false for consistency with the OpenSSH
setting that does not hashes host names by default
Verifies
Issue: https://github.com/SSSD/sssd/issues/5848
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
---
src/tests/multihost/ipa/test_misc.py | 83
1 file changed, 83 insertions(+)
diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index 2c25cd0b1e..d2561b845a 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -303,3 +303,86 @@ def test_authentication_indicators(self, multihost):
' |tail -10')
ssh.close()
assert 'indicators: 2' in search.stdout_text
+
+def test_ssh_hash_knownhosts(self, multihost, reset_password,
+ setup_ipa_client, backupsssdconf):
+"""
+:title: Current value of ssh_hash_known_hosts causes error in
+ the default configuration in FIPS mode.
+:description: In SSSD the default value for ssh_hash_known_hosts
+ is set to true, It should be changed to false for consistency with
+ the OpenSSH setting that does not hashes host names by default
+:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
+:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22
+:customerscenario: false
+:steps:
+1. Stop SSSD
+2. Configure SSSD with ssh having default value of
+ ssh_hash_known_hosts / ssh_hash_known_hosts = True /
+ ssh_hash_known_hosts = False
+3. Remove /var/lib/sss/pubconf/known_hosts file
+4. Start SSSD
+5. Perform SSH using IPA user
+6. Check if hostnames are hashed/unhashed in
+ /var/lib/sss/pubconf/known_hosts
+:expectedresults:
+1. Should succeed
+2. Should succeed
+3. Should succeed
+4. Should succeed
+5. Should succeed
+6. Hostnames should be hashed/unhashed as per the value of
+ ssh_hash_known_hosts
+"""
+tools = sssdTools(multihost.client[0])
+server_host = multihost.master[0].sys_hostname
+rm_host_keys = "rm -rf /tmp/ssh_host0003_rsa*"
+rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts"
+view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts"
+# adding host to IPA server
+multihost.master[0].run_command(r"ssh-keygen -q -t rsa -N '' -C '' -f /tmp/ssh_host0003_rsa")
+multihost.master[0].run_command("ipa host-mod %s --sshpubkey="
+"\"$(cat /tmp/ssh_host0003_rsa.pub)\" "
+"--updatedns"
+% multihost.client[0].sys_hostname)
+
+def check_hostname_hash(hash_value=None):
+# no hash_value or hash_value = True or hash_value = False
+multihost.client[0].service_sssd("stop")
+if hash_value is None:
+sssd_conf_cmd = multihost.client[0].\
+run_command("cat /etc/sssd/sssd.conf")
+sssd_conf = str(sssd_conf_cmd.stdout_text).strip()
+if "ssh_hash_known_hosts" in sssd_conf:
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": ""}
+tools.sssd_conf(ssh_section, ssh_param, action="delete")
+if hash_value is not None:
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": hash_value}
+tools.sssd_conf(ssh_section, ssh_param, action="update")
+multihost.client[0].run_command(rm_known_hosts)
+multihost.client[0].service_sssd("start")
+cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host
+# key added when performing SSH
+multihost.client[0].run_command(cmd, stdin_text="Secret123",
+raiseonerr=False)
+known_hosts = multihost.client[0].run_command(view_known_hosts)
+if server_host in known_hosts.stdout_text:
+flag = 0 # hostname not
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925
Author: dparmar18
Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the
default configuration in FIPS mode
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5925/head:pr5925
git checkout pr5925
From 38da67e96d5805e1d33f68413a72881fd85c8d4d Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Thu, 16 Dec 2021 20:42:47 +0530
Subject: [PATCH 1/2] TEST: Current value of ssh_hash_known_hosts causes error
in the default configuration in FIPS mode.
Explanation
- In SSSD the default value for ssh_hash_known_hosts is set to true,
It should be changed to false for consistency with the OpenSSH
setting that does not hashes host names by default
Verifies
Issue: https://github.com/SSSD/sssd/issues/5848
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
---
src/tests/multihost/ipa/test_misc.py | 65
1 file changed, 65 insertions(+)
diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index 2c25cd0b1e..ce797d581e 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost):
' |tail -10')
ssh.close()
assert 'indicators: 2' in search.stdout_text
+
+def test_ssh_hash_knownhosts(self, multihost, reset_password,
+ setup_ipa_client, backupsssdconf):
+"""
+:title: Current value of ssh_hash_known_hosts causes error in
+ the default configuration in FIPS mode.
+:description: In SSSD the default value for ssh_hash_known_hosts
+ is set to true, It should be changed to false for consistency with
+ the OpenSSH setting that does not hashes host names by default
+:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
+:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22
+:customerscenario: false
+:steps:
+1. Stop SSSD
+2. Configure SSSD with ssh having default value of
+ ssh_hash_known_hosts / ssh_hash_known_hosts = True /
+ ssh_hash_known_hosts = False
+3. Remove /var/lib/sss/pubconf/known_hosts file
+4. Start SSSD
+5. Perform SSH using IPA user
+6. Check if hostnames are hashed/unhashed in
+ /var/lib/sss/pubconf/known_hosts
+:expectedresults:
+1. Should succeed
+2. Should succeed
+3. Should succeed
+4. Should succeed
+5. Should succeed
+6. Hostnames should be hashed/unhashed as per the value of
+ ssh_hash_known_hosts
+"""
+tools = sssdTools(multihost.client[0])
+server_host = multihost.master[0].sys_hostname
+rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts"
+view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts"
+
+def check_hostname_hash(hash_value: str):
+# no hash_value or hash_value = True or hash_value = False
+multihost.client[0].service_sssd("stop")
+if hash_value != "default":
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": hash_value}
+tools.sssd_conf(ssh_section, ssh_param, action="update")
+multihost.client[0].run_command(rm_known_hosts)
+multihost.client[0].service_sssd("start")
+cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host
+multihost.client[0].run_command(cmd, stdin_text="Secret123",
+raiseonerr=False)
+known_hosts = multihost.client[0].run_command(view_known_hosts)
+if server_host in known_hosts.stdout_text:
+flag = 0 # hostname not hashed
+else:
+flag = 1 # hostname hashed
+return flag
+
+try:
+# ssh_hash_known_hosts is not used, default value is False
+assert check_hostname_hash("default") == 0, "Hostnames hashed - " \
+"Bugzilla 2014249/2015070"
+# ssh_hash_known_hosts = True
+assert check_hostname_hash("True") == 1, "Hostnames not hashed"
+# ssh_hash_known_hosts = False
+assert check_hostname_hash("False") == 0, "Hostnames hashed"
+finally:
+multihost.client[0].run_command(rm_known_hosts)
From ce2e1b2f90e66c9977b4397c8121929efe506e9e Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Fri, 7 Jan 2022 21:07:59 +0530
Subject: [PATCH 2/2] requested changes applied
---
src/tests/multihost/ipa/test_misc.py | 24 +---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925
Author: dparmar18
Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the
default configuration in FIPS mode
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5925/head:pr5925
git checkout pr5925
From 38da67e96d5805e1d33f68413a72881fd85c8d4d Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Thu, 16 Dec 2021 20:42:47 +0530
Subject: [PATCH] TEST: Current value of ssh_hash_known_hosts causes error in
the default configuration in FIPS mode.
Explanation
- In SSSD the default value for ssh_hash_known_hosts is set to true,
It should be changed to false for consistency with the OpenSSH
setting that does not hashes host names by default
Verifies
Issue: https://github.com/SSSD/sssd/issues/5848
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
---
src/tests/multihost/ipa/test_misc.py | 65
1 file changed, 65 insertions(+)
diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index 2c25cd0b1e..ce797d581e 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost):
' |tail -10')
ssh.close()
assert 'indicators: 2' in search.stdout_text
+
+def test_ssh_hash_knownhosts(self, multihost, reset_password,
+ setup_ipa_client, backupsssdconf):
+"""
+:title: Current value of ssh_hash_known_hosts causes error in
+ the default configuration in FIPS mode.
+:description: In SSSD the default value for ssh_hash_known_hosts
+ is set to true, It should be changed to false for consistency with
+ the OpenSSH setting that does not hashes host names by default
+:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
+:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22
+:customerscenario: false
+:steps:
+1. Stop SSSD
+2. Configure SSSD with ssh having default value of
+ ssh_hash_known_hosts / ssh_hash_known_hosts = True /
+ ssh_hash_known_hosts = False
+3. Remove /var/lib/sss/pubconf/known_hosts file
+4. Start SSSD
+5. Perform SSH using IPA user
+6. Check if hostnames are hashed/unhashed in
+ /var/lib/sss/pubconf/known_hosts
+:expectedresults:
+1. Should succeed
+2. Should succeed
+3. Should succeed
+4. Should succeed
+5. Should succeed
+6. Hostnames should be hashed/unhashed as per the value of
+ ssh_hash_known_hosts
+"""
+tools = sssdTools(multihost.client[0])
+server_host = multihost.master[0].sys_hostname
+rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts"
+view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts"
+
+def check_hostname_hash(hash_value: str):
+# no hash_value or hash_value = True or hash_value = False
+multihost.client[0].service_sssd("stop")
+if hash_value != "default":
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": hash_value}
+tools.sssd_conf(ssh_section, ssh_param, action="update")
+multihost.client[0].run_command(rm_known_hosts)
+multihost.client[0].service_sssd("start")
+cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host
+multihost.client[0].run_command(cmd, stdin_text="Secret123",
+raiseonerr=False)
+known_hosts = multihost.client[0].run_command(view_known_hosts)
+if server_host in known_hosts.stdout_text:
+flag = 0 # hostname not hashed
+else:
+flag = 1 # hostname hashed
+return flag
+
+try:
+# ssh_hash_known_hosts is not used, default value is False
+assert check_hostname_hash("default") == 0, "Hostnames hashed - " \
+"Bugzilla 2014249/2015070"
+# ssh_hash_known_hosts = True
+assert check_hostname_hash("True") == 1, "Hostnames not hashed"
+# ssh_hash_known_hosts = False
+assert check_hostname_hash("False") == 0, "Hostnames hashed"
+finally:
+multihost.client[0].run_command(rm_known_hosts)
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925
Author: dparmar18
Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the
default configuration in FIPS mode
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5925/head:pr5925
git checkout pr5925
From 38da67e96d5805e1d33f68413a72881fd85c8d4d Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Thu, 16 Dec 2021 20:42:47 +0530
Subject: [PATCH 1/2] TEST: Current value of ssh_hash_known_hosts causes error
in the default configuration in FIPS mode.
Explanation
- In SSSD the default value for ssh_hash_known_hosts is set to true,
It should be changed to false for consistency with the OpenSSH
setting that does not hashes host names by default
Verifies
Issue: https://github.com/SSSD/sssd/issues/5848
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
---
src/tests/multihost/ipa/test_misc.py | 65
1 file changed, 65 insertions(+)
diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index 2c25cd0b1e..ce797d581e 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost):
' |tail -10')
ssh.close()
assert 'indicators: 2' in search.stdout_text
+
+def test_ssh_hash_knownhosts(self, multihost, reset_password,
+ setup_ipa_client, backupsssdconf):
+"""
+:title: Current value of ssh_hash_known_hosts causes error in
+ the default configuration in FIPS mode.
+:description: In SSSD the default value for ssh_hash_known_hosts
+ is set to true, It should be changed to false for consistency with
+ the OpenSSH setting that does not hashes host names by default
+:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
+:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22
+:customerscenario: false
+:steps:
+1. Stop SSSD
+2. Configure SSSD with ssh having default value of
+ ssh_hash_known_hosts / ssh_hash_known_hosts = True /
+ ssh_hash_known_hosts = False
+3. Remove /var/lib/sss/pubconf/known_hosts file
+4. Start SSSD
+5. Perform SSH using IPA user
+6. Check if hostnames are hashed/unhashed in
+ /var/lib/sss/pubconf/known_hosts
+:expectedresults:
+1. Should succeed
+2. Should succeed
+3. Should succeed
+4. Should succeed
+5. Should succeed
+6. Hostnames should be hashed/unhashed as per the value of
+ ssh_hash_known_hosts
+"""
+tools = sssdTools(multihost.client[0])
+server_host = multihost.master[0].sys_hostname
+rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts"
+view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts"
+
+def check_hostname_hash(hash_value: str):
+# no hash_value or hash_value = True or hash_value = False
+multihost.client[0].service_sssd("stop")
+if hash_value != "default":
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": hash_value}
+tools.sssd_conf(ssh_section, ssh_param, action="update")
+multihost.client[0].run_command(rm_known_hosts)
+multihost.client[0].service_sssd("start")
+cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host
+multihost.client[0].run_command(cmd, stdin_text="Secret123",
+raiseonerr=False)
+known_hosts = multihost.client[0].run_command(view_known_hosts)
+if server_host in known_hosts.stdout_text:
+flag = 0 # hostname not hashed
+else:
+flag = 1 # hostname hashed
+return flag
+
+try:
+# ssh_hash_known_hosts is not used, default value is False
+assert check_hostname_hash("default") == 0, "Hostnames hashed - " \
+"Bugzilla 2014249/2015070"
+# ssh_hash_known_hosts = True
+assert check_hostname_hash("True") == 1, "Hostnames not hashed"
+# ssh_hash_known_hosts = False
+assert check_hostname_hash("False") == 0, "Hostnames hashed"
+finally:
+multihost.client[0].run_command(rm_known_hosts)
From cc89fdedf6262fa4b14b559cb9b69005f2685e81 Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Fri, 7 Jan 2022 19:37:33 +0530
Subject: [PATCH 2/2] double quotes instead of single
---
src/tests/multihost/ipa/test_misc.py | 22 +++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925
Author: dparmar18
Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the
default configuration in FIPS mode
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5925/head:pr5925
git checkout pr5925
From 38da67e96d5805e1d33f68413a72881fd85c8d4d Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Thu, 16 Dec 2021 20:42:47 +0530
Subject: [PATCH] TEST: Current value of ssh_hash_known_hosts causes error in
the default configuration in FIPS mode.
Explanation
- In SSSD the default value for ssh_hash_known_hosts is set to true,
It should be changed to false for consistency with the OpenSSH
setting that does not hashes host names by default
Verifies
Issue: https://github.com/SSSD/sssd/issues/5848
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
---
src/tests/multihost/ipa/test_misc.py | 65
1 file changed, 65 insertions(+)
diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index 2c25cd0b1e..ce797d581e 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost):
' |tail -10')
ssh.close()
assert 'indicators: 2' in search.stdout_text
+
+def test_ssh_hash_knownhosts(self, multihost, reset_password,
+ setup_ipa_client, backupsssdconf):
+"""
+:title: Current value of ssh_hash_known_hosts causes error in
+ the default configuration in FIPS mode.
+:description: In SSSD the default value for ssh_hash_known_hosts
+ is set to true, It should be changed to false for consistency with
+ the OpenSSH setting that does not hashes host names by default
+:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
+:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22
+:customerscenario: false
+:steps:
+1. Stop SSSD
+2. Configure SSSD with ssh having default value of
+ ssh_hash_known_hosts / ssh_hash_known_hosts = True /
+ ssh_hash_known_hosts = False
+3. Remove /var/lib/sss/pubconf/known_hosts file
+4. Start SSSD
+5. Perform SSH using IPA user
+6. Check if hostnames are hashed/unhashed in
+ /var/lib/sss/pubconf/known_hosts
+:expectedresults:
+1. Should succeed
+2. Should succeed
+3. Should succeed
+4. Should succeed
+5. Should succeed
+6. Hostnames should be hashed/unhashed as per the value of
+ ssh_hash_known_hosts
+"""
+tools = sssdTools(multihost.client[0])
+server_host = multihost.master[0].sys_hostname
+rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts"
+view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts"
+
+def check_hostname_hash(hash_value: str):
+# no hash_value or hash_value = True or hash_value = False
+multihost.client[0].service_sssd("stop")
+if hash_value != "default":
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": hash_value}
+tools.sssd_conf(ssh_section, ssh_param, action="update")
+multihost.client[0].run_command(rm_known_hosts)
+multihost.client[0].service_sssd("start")
+cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host
+multihost.client[0].run_command(cmd, stdin_text="Secret123",
+raiseonerr=False)
+known_hosts = multihost.client[0].run_command(view_known_hosts)
+if server_host in known_hosts.stdout_text:
+flag = 0 # hostname not hashed
+else:
+flag = 1 # hostname hashed
+return flag
+
+try:
+# ssh_hash_known_hosts is not used, default value is False
+assert check_hostname_hash("default") == 0, "Hostnames hashed - " \
+"Bugzilla 2014249/2015070"
+# ssh_hash_known_hosts = True
+assert check_hostname_hash("True") == 1, "Hostnames not hashed"
+# ssh_hash_known_hosts = False
+assert check_hostname_hash("False") == 0, "Hostnames hashed"
+finally:
+multihost.client[0].run_command(rm_known_hosts)
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925
Author: dparmar18
Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the
default configuration in FIPS mode
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5925/head:pr5925
git checkout pr5925
From c3f081fe70d8a544d6d7d35770104fb93ce320e9 Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Thu, 16 Dec 2021 20:42:47 +0530
Subject: [PATCH 1/2] TEST: Current value of ssh_hash_known_hosts causes error
in the default configuration in FIPS mode.
Explanation
- In SSSD the default value for ssh_hash_known_hosts is set to true,
It should be changed to false for consistency with the OpenSSH
setting that does not hashes host names by default
Verifies
Issue: https://github.com/SSSD/sssd/issues/5848
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
---
src/tests/multihost/ipa/test_misc.py | 65
1 file changed, 65 insertions(+)
diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index 2c25cd0b1e..1f1f7b0da6 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost):
' |tail -10')
ssh.close()
assert 'indicators: 2' in search.stdout_text
+
+def test_ssh_hash_knownhosts(self, multihost, reset_password,
+ setup_ipa_client, backupsssdconf):
+"""
+:title: Current value of ssh_hash_known_hosts causes error in
+ the default configuration in FIPS mode.
+:description: In SSSD the default value for ssh_hash_known_hosts
+ is set to true, It should be changed to false for consistency with
+ the OpenSSH setting that does not hashes host names by default
+:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
+:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22
+:customerscenario: false
+:steps:
+1. Stop SSSD
+2. Configure SSSD with ssh having default value of
+ ssh_hash_known_hosts / ssh_hash_known_hosts = True /
+ ssh_hash_known_hosts = False
+3. Remove /var/lib/sss/pubconf/known_hosts file
+4. Start SSSD
+5. Perform SSH using IPA user
+6. Check if hostnames are hashed/unhashed in
+ /var/lib/sss/pubconf/known_hosts
+:expectedresults:
+1. Should succeed
+2. Should succeed
+3. Should succeed
+4. Should succeed
+5. Should succeed
+6. Hostnames should be hashed/unhashed as per the value of
+ ssh_hash_known_hosts
+"""
+tools = sssdTools(multihost.client[0])
+server_host = multihost.master[0].sys_hostname
+rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts"
+view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts"
+
+def check_hostname_hash(hash_value: str):
+# no hash_value or hash_value = True or hash_value = False
+multihost.client[0].service_sssd("stop")
+if hash_value != "default":
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": hash_value}
+tools.sssd_conf(ssh_section, ssh_param, action="update")
+multihost.client[0].run_command(rm_known_hosts)
+multihost.client[0].service_sssd("start")
+cmd = "ssh -l -q foobar0@%s" % server_host
+multihost.client[0].run_command(cmd, stdin_text="Secret123",
+raiseonerr=False)
+known_hosts = multihost.client[0].run_command(view_known_hosts)
+if server_host in known_hosts.stdout_text:
+flag = 0 # hostname not hashed
+else:
+flag = 1 # hostname hashed
+return flag
+
+try:
+# ssh_hash_known_hosts is not used, default value is False
+assert check_hostname_hash("default") == 0, "Hostnames hashed - " \
+"Bugzilla 2014249/2015070"
+# ssh_hash_known_hosts = True
+assert check_hostname_hash("True") == 1, "Hostnames not hashed"
+# ssh_hash_known_hosts = False
+assert check_hostname_hash("False") == 0, "Hostnames hashed"
+finally:
+multihost.client[0].run_command(rm_known_hosts)
From e90117704edb399ce468db03c70f3d5a79182a6b Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Mon, 20 Dec 2021 18:37:53 +0530
Subject: [PATCH 2/2] ssh command modified
---
src/tests/multihost/ipa/test_misc.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/multihost/ipa/test_misc.py
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925
Author: dparmar18
Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the
default configuration in FIPS mode
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5925/head:pr5925
git checkout pr5925
From c3f081fe70d8a544d6d7d35770104fb93ce320e9 Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Thu, 16 Dec 2021 20:42:47 +0530
Subject: [PATCH] TEST: Current value of ssh_hash_known_hosts causes error in
the default configuration in FIPS mode.
Explanation
- In SSSD the default value for ssh_hash_known_hosts is set to true,
It should be changed to false for consistency with the OpenSSH
setting that does not hashes host names by default
Verifies
Issue: https://github.com/SSSD/sssd/issues/5848
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
---
src/tests/multihost/ipa/test_misc.py | 65
1 file changed, 65 insertions(+)
diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index 2c25cd0b1e..1f1f7b0da6 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost):
' |tail -10')
ssh.close()
assert 'indicators: 2' in search.stdout_text
+
+def test_ssh_hash_knownhosts(self, multihost, reset_password,
+ setup_ipa_client, backupsssdconf):
+"""
+:title: Current value of ssh_hash_known_hosts causes error in
+ the default configuration in FIPS mode.
+:description: In SSSD the default value for ssh_hash_known_hosts
+ is set to true, It should be changed to false for consistency with
+ the OpenSSH setting that does not hashes host names by default
+:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
+:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22
+:customerscenario: false
+:steps:
+1. Stop SSSD
+2. Configure SSSD with ssh having default value of
+ ssh_hash_known_hosts / ssh_hash_known_hosts = True /
+ ssh_hash_known_hosts = False
+3. Remove /var/lib/sss/pubconf/known_hosts file
+4. Start SSSD
+5. Perform SSH using IPA user
+6. Check if hostnames are hashed/unhashed in
+ /var/lib/sss/pubconf/known_hosts
+:expectedresults:
+1. Should succeed
+2. Should succeed
+3. Should succeed
+4. Should succeed
+5. Should succeed
+6. Hostnames should be hashed/unhashed as per the value of
+ ssh_hash_known_hosts
+"""
+tools = sssdTools(multihost.client[0])
+server_host = multihost.master[0].sys_hostname
+rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts"
+view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts"
+
+def check_hostname_hash(hash_value: str):
+# no hash_value or hash_value = True or hash_value = False
+multihost.client[0].service_sssd("stop")
+if hash_value != "default":
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": hash_value}
+tools.sssd_conf(ssh_section, ssh_param, action="update")
+multihost.client[0].run_command(rm_known_hosts)
+multihost.client[0].service_sssd("start")
+cmd = "ssh -l -q foobar0@%s" % server_host
+multihost.client[0].run_command(cmd, stdin_text="Secret123",
+raiseonerr=False)
+known_hosts = multihost.client[0].run_command(view_known_hosts)
+if server_host in known_hosts.stdout_text:
+flag = 0 # hostname not hashed
+else:
+flag = 1 # hostname hashed
+return flag
+
+try:
+# ssh_hash_known_hosts is not used, default value is False
+assert check_hostname_hash("default") == 0, "Hostnames hashed - " \
+"Bugzilla 2014249/2015070"
+# ssh_hash_known_hosts = True
+assert check_hostname_hash("True") == 1, "Hostnames not hashed"
+# ssh_hash_known_hosts = False
+assert check_hostname_hash("False") == 0, "Hostnames hashed"
+finally:
+multihost.client[0].run_command(rm_known_hosts)
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925
Author: dparmar18
Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the
default configuration in FIPS mode
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5925/head:pr5925
git checkout pr5925
From 117129cc51717ebe80fdc4335b40f5edd2051e04 Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Thu, 16 Dec 2021 20:42:47 +0530
Subject: [PATCH 1/2] TEST: Current value of ssh_hash_known_hosts causes error
in the default configuration in FIPS mode.
Explanation
- In SSSD the default value for ssh_hash_known_hosts is set to true,
It should be changed to false for consistency with the OpenSSH
setting that does not hashes host names by default
Verifies
Issue: https://github.com/SSSD/sssd/issues/5848
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
---
src/tests/multihost/ipa/test_misc.py | 65
1 file changed, 65 insertions(+)
diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index 2c25cd0b1e..800bd16878 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost):
' |tail -10')
ssh.close()
assert 'indicators: 2' in search.stdout_text
+
+def test_ssh_hash_knownhosts(self, multihost, reset_password,
+ setup_ipa_client):
+"""
+:title: Current value of ssh_hash_known_hosts causes error in
+ the default configuration in FIPS mode.
+:description: In SSSD the default value for ssh_hash_known_hosts
+ is set to true, It should be changed to false for consistency with
+ the OpenSSH setting that does not hashes host names by default
+:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
+:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22
+:customerscenario: false
+:steps:
+1. Stop SSSD
+2. Configure SSSD with ssh having default value of
+ ssh_hash_known_hosts / ssh_hash_known_hosts = True /
+ ssh_hash_known_hosts = False
+3. Remove /var/lib/sss/pubconf/known_hosts file
+4. Start SSSD
+5. Perform SSH using IPA user
+6. Check if hostnames are hashed/unhashed in
+ /var/lib/sss/pubconf/known_hosts
+:expectedresults:
+1. Should succeed
+2. Should succeed
+3. Should succeed
+4. Should succeed
+5. Should succeed
+6. Hostnames should be hashed/unhashed as per the value of
+ ssh_hash_known_hosts
+"""
+tools = sssdTools(multihost.client[0])
+server_host = multihost.master[0].sys_hostname
+rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts"
+view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts"
+
+def check_hostname_hash(hash_value: str):
+# no hash_value or hash_value = True or hash_value = False
+multihost.client[0].service_sssd("stop")
+if hash_value != "default":
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": hash_value}
+tools.sssd_conf(ssh_section, ssh_param, action="update")
+multihost.client[0].run_command(rm_known_hosts)
+multihost.client[0].service_sssd("start")
+cmd = "ssh -l -q foobar0@%s" % server_host
+multihost.client[0].run_command(cmd, stdin_text="Secret123",
+raiseonerr=False)
+known_hosts = multihost.client[0].run_command(view_known_hosts)
+if server_host in known_hosts.stdout_text:
+flag = 0 # hostname not hashed
+else:
+flag = 1 # hostname hashed
+return flag
+
+try:
+# ssh_hash_known_hosts is not used, default value is False
+assert check_hostname_hash("default") == 0, "Hostnames hashed - " \
+"Bugzilla 2014249/2015070"
+# ssh_hash_known_hosts = True
+assert check_hostname_hash("True") == 1, "Hostnames not hashed"
+# ssh_hash_known_hosts = False
+assert check_hostname_hash("False") == 0, "Hostnames hashed"
+finally:
+multihost.client[0].run_command(rm_known_hosts)
From da6a9271fadf7935cc428425f65fc8c2cc508056 Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Mon, 20 Dec 2021 15:04:33 +0530
Subject: [PATCH 2/2] backsssdconf fixture added
---
src/tests/multihost/ipa/test_misc.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/multihost/ipa/test_misc.py
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925
Author: dparmar18
Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the
default configuration in FIPS mode
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5925/head:pr5925
git checkout pr5925
From 117129cc51717ebe80fdc4335b40f5edd2051e04 Mon Sep 17 00:00:00 2001
From: Dhairya Parmar
Date: Thu, 16 Dec 2021 20:42:47 +0530
Subject: [PATCH] TEST: Current value of ssh_hash_known_hosts causes error in
the default configuration in FIPS mode.
Explanation
- In SSSD the default value for ssh_hash_known_hosts is set to true,
It should be changed to false for consistency with the OpenSSH
setting that does not hashes host names by default
Verifies
Issue: https://github.com/SSSD/sssd/issues/5848
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
---
src/tests/multihost/ipa/test_misc.py | 65
1 file changed, 65 insertions(+)
diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index 2c25cd0b1e..800bd16878 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost):
' |tail -10')
ssh.close()
assert 'indicators: 2' in search.stdout_text
+
+def test_ssh_hash_knownhosts(self, multihost, reset_password,
+ setup_ipa_client):
+"""
+:title: Current value of ssh_hash_known_hosts causes error in
+ the default configuration in FIPS mode.
+:description: In SSSD the default value for ssh_hash_known_hosts
+ is set to true, It should be changed to false for consistency with
+ the OpenSSH setting that does not hashes host names by default
+:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
+:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22
+:customerscenario: false
+:steps:
+1. Stop SSSD
+2. Configure SSSD with ssh having default value of
+ ssh_hash_known_hosts / ssh_hash_known_hosts = True /
+ ssh_hash_known_hosts = False
+3. Remove /var/lib/sss/pubconf/known_hosts file
+4. Start SSSD
+5. Perform SSH using IPA user
+6. Check if hostnames are hashed/unhashed in
+ /var/lib/sss/pubconf/known_hosts
+:expectedresults:
+1. Should succeed
+2. Should succeed
+3. Should succeed
+4. Should succeed
+5. Should succeed
+6. Hostnames should be hashed/unhashed as per the value of
+ ssh_hash_known_hosts
+"""
+tools = sssdTools(multihost.client[0])
+server_host = multihost.master[0].sys_hostname
+rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts"
+view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts"
+
+def check_hostname_hash(hash_value: str):
+# no hash_value or hash_value = True or hash_value = False
+multihost.client[0].service_sssd("stop")
+if hash_value != "default":
+ssh_section = "ssh"
+ssh_param = {"ssh_hash_known_hosts": hash_value}
+tools.sssd_conf(ssh_section, ssh_param, action="update")
+multihost.client[0].run_command(rm_known_hosts)
+multihost.client[0].service_sssd("start")
+cmd = "ssh -l -q foobar0@%s" % server_host
+multihost.client[0].run_command(cmd, stdin_text="Secret123",
+raiseonerr=False)
+known_hosts = multihost.client[0].run_command(view_known_hosts)
+if server_host in known_hosts.stdout_text:
+flag = 0 # hostname not hashed
+else:
+flag = 1 # hostname hashed
+return flag
+
+try:
+# ssh_hash_known_hosts is not used, default value is False
+assert check_hostname_hash("default") == 0, "Hostnames hashed - " \
+"Bugzilla 2014249/2015070"
+# ssh_hash_known_hosts = True
+assert check_hostname_hash("True") == 1, "Hostnames not hashed"
+# ssh_hash_known_hosts = False
+assert check_hostname_hash("False") == 0, "Hostnames hashed"
+finally:
+multihost.client[0].run_command(rm_known_hosts)
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
