[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925 Author: dparmar18 Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5925/head:pr5925 git checkout pr5925 From a6d06efaa51188f9ac7b2c4e8a5d1db1ad1621fd Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Thu, 16 Dec 2021 20:42:47 +0530 Subject: [PATCH 1/2] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode. Explanation - In SSSD the default value for ssh_hash_known_hosts is set to true, It should be changed to false for consistency with the OpenSSH setting that does not hashes host names by default Verifies Issue: https://github.com/SSSD/sssd/issues/5848 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 --- src/tests/multihost/ipa/test_misc.py | 83 1 file changed, 83 insertions(+) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index 2c25cd0b1e..3a30d3fcfd 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -303,3 +303,86 @@ def test_authentication_indicators(self, multihost): ' |tail -10') ssh.close() assert 'indicators: 2' in search.stdout_text + +def test_ssh_hash_knownhosts(self, multihost, reset_password, + setup_ipa_client, backupsssdconf): +""" +:title: Current value of ssh_hash_known_hosts causes error in + the default configuration in FIPS mode. +:description: In SSSD the default value for ssh_hash_known_hosts + is set to true, It should be changed to false for consistency with + the OpenSSH setting that does not hashes host names by default +:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 +:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22 +:customerscenario: false +:steps: +1. Stop SSSD +2. Configure SSSD with ssh having default value of + ssh_hash_known_hosts / ssh_hash_known_hosts = True / + ssh_hash_known_hosts = False +3. Remove /var/lib/sss/pubconf/known_hosts file +4. Start SSSD +5. Perform SSH using IPA user +6. Check if hostnames are hashed/unhashed in + /var/lib/sss/pubconf/known_hosts +:expectedresults: +1. Should succeed +2. Should succeed +3. Should succeed +4. Should succeed +5. Should succeed +6. Hostnames should be hashed/unhashed as per the value of + ssh_hash_known_hosts +""" +tools = sssdTools(multihost.client[0]) +server_host = multihost.master[0].sys_hostname +rm_host_keys = "rm -rf /tmp/ssh_host0003_rsa*" +rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts" +view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts" +# adding host to IPA server +multihost.master[0].run_command(r"ssh-keygen -q -t rsa -N '' -C '' " +r"-f /tmp/ssh_host0003_rsa") +multihost.master[0].run_command("ipa host-mod %s --sshpubkey=" +"\"$(cat /tmp/ssh_host0003_rsa.pub)\" " +"--updatedns" +% multihost.client[0].sys_hostname) + +def check_hostname_hash(hash_value=None): +# no hash_value or hash_value = True or hash_value = False +multihost.client[0].service_sssd("stop") +if hash_value is None: +sssd_conf_cmd = multihost.client[0].\ +run_command("cat /etc/sssd/sssd.conf") +sssd_conf = str(sssd_conf_cmd.stdout_text).strip() +if "ssh_hash_known_hosts" in sssd_conf: +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": ""} +tools.sssd_conf(ssh_section, ssh_param, action="delete") +if hash_value is not None: +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": hash_value} +tools.sssd_conf(ssh_section, ssh_param, action="update") +multihost.client[0].run_command(rm_known_hosts) +multihost.client[0].service_sssd("start") +cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host +# key added when performing SSH +multihost.client[0].run_command(cmd, stdin_text="Secret123", +raiseonerr=False) +known_hosts = multihost.client[0].run_command(view_known_hosts) +if server_host in
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925 Author: dparmar18 Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5925/head:pr5925 git checkout pr5925 From a6d06efaa51188f9ac7b2c4e8a5d1db1ad1621fd Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Thu, 16 Dec 2021 20:42:47 +0530 Subject: [PATCH] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode. Explanation - In SSSD the default value for ssh_hash_known_hosts is set to true, It should be changed to false for consistency with the OpenSSH setting that does not hashes host names by default Verifies Issue: https://github.com/SSSD/sssd/issues/5848 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 --- src/tests/multihost/ipa/test_misc.py | 83 1 file changed, 83 insertions(+) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index 2c25cd0b1e..3a30d3fcfd 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -303,3 +303,86 @@ def test_authentication_indicators(self, multihost): ' |tail -10') ssh.close() assert 'indicators: 2' in search.stdout_text + +def test_ssh_hash_knownhosts(self, multihost, reset_password, + setup_ipa_client, backupsssdconf): +""" +:title: Current value of ssh_hash_known_hosts causes error in + the default configuration in FIPS mode. +:description: In SSSD the default value for ssh_hash_known_hosts + is set to true, It should be changed to false for consistency with + the OpenSSH setting that does not hashes host names by default +:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 +:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22 +:customerscenario: false +:steps: +1. Stop SSSD +2. Configure SSSD with ssh having default value of + ssh_hash_known_hosts / ssh_hash_known_hosts = True / + ssh_hash_known_hosts = False +3. Remove /var/lib/sss/pubconf/known_hosts file +4. Start SSSD +5. Perform SSH using IPA user +6. Check if hostnames are hashed/unhashed in + /var/lib/sss/pubconf/known_hosts +:expectedresults: +1. Should succeed +2. Should succeed +3. Should succeed +4. Should succeed +5. Should succeed +6. Hostnames should be hashed/unhashed as per the value of + ssh_hash_known_hosts +""" +tools = sssdTools(multihost.client[0]) +server_host = multihost.master[0].sys_hostname +rm_host_keys = "rm -rf /tmp/ssh_host0003_rsa*" +rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts" +view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts" +# adding host to IPA server +multihost.master[0].run_command(r"ssh-keygen -q -t rsa -N '' -C '' " +r"-f /tmp/ssh_host0003_rsa") +multihost.master[0].run_command("ipa host-mod %s --sshpubkey=" +"\"$(cat /tmp/ssh_host0003_rsa.pub)\" " +"--updatedns" +% multihost.client[0].sys_hostname) + +def check_hostname_hash(hash_value=None): +# no hash_value or hash_value = True or hash_value = False +multihost.client[0].service_sssd("stop") +if hash_value is None: +sssd_conf_cmd = multihost.client[0].\ +run_command("cat /etc/sssd/sssd.conf") +sssd_conf = str(sssd_conf_cmd.stdout_text).strip() +if "ssh_hash_known_hosts" in sssd_conf: +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": ""} +tools.sssd_conf(ssh_section, ssh_param, action="delete") +if hash_value is not None: +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": hash_value} +tools.sssd_conf(ssh_section, ssh_param, action="update") +multihost.client[0].run_command(rm_known_hosts) +multihost.client[0].service_sssd("start") +cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host +# key added when performing SSH +multihost.client[0].run_command(cmd, stdin_text="Secret123", +raiseonerr=False) +known_hosts = multihost.client[0].run_command(view_known_hosts) +if server_host in known_hosts.stdout_text: +
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925 Author: dparmar18 Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5925/head:pr5925 git checkout pr5925 From b0a2085a7d8af6038e99e0832999ecf8f4eae556 Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Thu, 16 Dec 2021 20:42:47 +0530 Subject: [PATCH 1/2] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode. Explanation - In SSSD the default value for ssh_hash_known_hosts is set to true, It should be changed to false for consistency with the OpenSSH setting that does not hashes host names by default Verifies Issue: https://github.com/SSSD/sssd/issues/5848 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 --- src/tests/multihost/ipa/test_misc.py | 83 1 file changed, 83 insertions(+) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index 2c25cd0b1e..d2561b845a 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -303,3 +303,86 @@ def test_authentication_indicators(self, multihost): ' |tail -10') ssh.close() assert 'indicators: 2' in search.stdout_text + +def test_ssh_hash_knownhosts(self, multihost, reset_password, + setup_ipa_client, backupsssdconf): +""" +:title: Current value of ssh_hash_known_hosts causes error in + the default configuration in FIPS mode. +:description: In SSSD the default value for ssh_hash_known_hosts + is set to true, It should be changed to false for consistency with + the OpenSSH setting that does not hashes host names by default +:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 +:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22 +:customerscenario: false +:steps: +1. Stop SSSD +2. Configure SSSD with ssh having default value of + ssh_hash_known_hosts / ssh_hash_known_hosts = True / + ssh_hash_known_hosts = False +3. Remove /var/lib/sss/pubconf/known_hosts file +4. Start SSSD +5. Perform SSH using IPA user +6. Check if hostnames are hashed/unhashed in + /var/lib/sss/pubconf/known_hosts +:expectedresults: +1. Should succeed +2. Should succeed +3. Should succeed +4. Should succeed +5. Should succeed +6. Hostnames should be hashed/unhashed as per the value of + ssh_hash_known_hosts +""" +tools = sssdTools(multihost.client[0]) +server_host = multihost.master[0].sys_hostname +rm_host_keys = "rm -rf /tmp/ssh_host0003_rsa*" +rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts" +view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts" +# adding host to IPA server +multihost.master[0].run_command(r"ssh-keygen -q -t rsa -N '' -C '' -f /tmp/ssh_host0003_rsa") +multihost.master[0].run_command("ipa host-mod %s --sshpubkey=" +"\"$(cat /tmp/ssh_host0003_rsa.pub)\" " +"--updatedns" +% multihost.client[0].sys_hostname) + +def check_hostname_hash(hash_value=None): +# no hash_value or hash_value = True or hash_value = False +multihost.client[0].service_sssd("stop") +if hash_value is None: +sssd_conf_cmd = multihost.client[0].\ +run_command("cat /etc/sssd/sssd.conf") +sssd_conf = str(sssd_conf_cmd.stdout_text).strip() +if "ssh_hash_known_hosts" in sssd_conf: +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": ""} +tools.sssd_conf(ssh_section, ssh_param, action="delete") +if hash_value is not None: +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": hash_value} +tools.sssd_conf(ssh_section, ssh_param, action="update") +multihost.client[0].run_command(rm_known_hosts) +multihost.client[0].service_sssd("start") +cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host +# key added when performing SSH +multihost.client[0].run_command(cmd, stdin_text="Secret123", +raiseonerr=False) +known_hosts = multihost.client[0].run_command(view_known_hosts) +if server_host in known_hosts.stdout_text: +flag = 0 # hostname not
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925 Author: dparmar18 Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5925/head:pr5925 git checkout pr5925 From b0a2085a7d8af6038e99e0832999ecf8f4eae556 Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Thu, 16 Dec 2021 20:42:47 +0530 Subject: [PATCH] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode. Explanation - In SSSD the default value for ssh_hash_known_hosts is set to true, It should be changed to false for consistency with the OpenSSH setting that does not hashes host names by default Verifies Issue: https://github.com/SSSD/sssd/issues/5848 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 --- src/tests/multihost/ipa/test_misc.py | 83 1 file changed, 83 insertions(+) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index 2c25cd0b1e..d2561b845a 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -303,3 +303,86 @@ def test_authentication_indicators(self, multihost): ' |tail -10') ssh.close() assert 'indicators: 2' in search.stdout_text + +def test_ssh_hash_knownhosts(self, multihost, reset_password, + setup_ipa_client, backupsssdconf): +""" +:title: Current value of ssh_hash_known_hosts causes error in + the default configuration in FIPS mode. +:description: In SSSD the default value for ssh_hash_known_hosts + is set to true, It should be changed to false for consistency with + the OpenSSH setting that does not hashes host names by default +:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 +:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22 +:customerscenario: false +:steps: +1. Stop SSSD +2. Configure SSSD with ssh having default value of + ssh_hash_known_hosts / ssh_hash_known_hosts = True / + ssh_hash_known_hosts = False +3. Remove /var/lib/sss/pubconf/known_hosts file +4. Start SSSD +5. Perform SSH using IPA user +6. Check if hostnames are hashed/unhashed in + /var/lib/sss/pubconf/known_hosts +:expectedresults: +1. Should succeed +2. Should succeed +3. Should succeed +4. Should succeed +5. Should succeed +6. Hostnames should be hashed/unhashed as per the value of + ssh_hash_known_hosts +""" +tools = sssdTools(multihost.client[0]) +server_host = multihost.master[0].sys_hostname +rm_host_keys = "rm -rf /tmp/ssh_host0003_rsa*" +rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts" +view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts" +# adding host to IPA server +multihost.master[0].run_command(r"ssh-keygen -q -t rsa -N '' -C '' -f /tmp/ssh_host0003_rsa") +multihost.master[0].run_command("ipa host-mod %s --sshpubkey=" +"\"$(cat /tmp/ssh_host0003_rsa.pub)\" " +"--updatedns" +% multihost.client[0].sys_hostname) + +def check_hostname_hash(hash_value=None): +# no hash_value or hash_value = True or hash_value = False +multihost.client[0].service_sssd("stop") +if hash_value is None: +sssd_conf_cmd = multihost.client[0].\ +run_command("cat /etc/sssd/sssd.conf") +sssd_conf = str(sssd_conf_cmd.stdout_text).strip() +if "ssh_hash_known_hosts" in sssd_conf: +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": ""} +tools.sssd_conf(ssh_section, ssh_param, action="delete") +if hash_value is not None: +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": hash_value} +tools.sssd_conf(ssh_section, ssh_param, action="update") +multihost.client[0].run_command(rm_known_hosts) +multihost.client[0].service_sssd("start") +cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host +# key added when performing SSH +multihost.client[0].run_command(cmd, stdin_text="Secret123", +raiseonerr=False) +known_hosts = multihost.client[0].run_command(view_known_hosts) +if server_host in known_hosts.stdout_text: +flag = 0 # hostname not
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925 Author: dparmar18 Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5925/head:pr5925 git checkout pr5925 From 38da67e96d5805e1d33f68413a72881fd85c8d4d Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Thu, 16 Dec 2021 20:42:47 +0530 Subject: [PATCH 1/2] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode. Explanation - In SSSD the default value for ssh_hash_known_hosts is set to true, It should be changed to false for consistency with the OpenSSH setting that does not hashes host names by default Verifies Issue: https://github.com/SSSD/sssd/issues/5848 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 --- src/tests/multihost/ipa/test_misc.py | 65 1 file changed, 65 insertions(+) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index 2c25cd0b1e..ce797d581e 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost): ' |tail -10') ssh.close() assert 'indicators: 2' in search.stdout_text + +def test_ssh_hash_knownhosts(self, multihost, reset_password, + setup_ipa_client, backupsssdconf): +""" +:title: Current value of ssh_hash_known_hosts causes error in + the default configuration in FIPS mode. +:description: In SSSD the default value for ssh_hash_known_hosts + is set to true, It should be changed to false for consistency with + the OpenSSH setting that does not hashes host names by default +:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 +:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22 +:customerscenario: false +:steps: +1. Stop SSSD +2. Configure SSSD with ssh having default value of + ssh_hash_known_hosts / ssh_hash_known_hosts = True / + ssh_hash_known_hosts = False +3. Remove /var/lib/sss/pubconf/known_hosts file +4. Start SSSD +5. Perform SSH using IPA user +6. Check if hostnames are hashed/unhashed in + /var/lib/sss/pubconf/known_hosts +:expectedresults: +1. Should succeed +2. Should succeed +3. Should succeed +4. Should succeed +5. Should succeed +6. Hostnames should be hashed/unhashed as per the value of + ssh_hash_known_hosts +""" +tools = sssdTools(multihost.client[0]) +server_host = multihost.master[0].sys_hostname +rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts" +view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts" + +def check_hostname_hash(hash_value: str): +# no hash_value or hash_value = True or hash_value = False +multihost.client[0].service_sssd("stop") +if hash_value != "default": +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": hash_value} +tools.sssd_conf(ssh_section, ssh_param, action="update") +multihost.client[0].run_command(rm_known_hosts) +multihost.client[0].service_sssd("start") +cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host +multihost.client[0].run_command(cmd, stdin_text="Secret123", +raiseonerr=False) +known_hosts = multihost.client[0].run_command(view_known_hosts) +if server_host in known_hosts.stdout_text: +flag = 0 # hostname not hashed +else: +flag = 1 # hostname hashed +return flag + +try: +# ssh_hash_known_hosts is not used, default value is False +assert check_hostname_hash("default") == 0, "Hostnames hashed - " \ +"Bugzilla 2014249/2015070" +# ssh_hash_known_hosts = True +assert check_hostname_hash("True") == 1, "Hostnames not hashed" +# ssh_hash_known_hosts = False +assert check_hostname_hash("False") == 0, "Hostnames hashed" +finally: +multihost.client[0].run_command(rm_known_hosts) From ce2e1b2f90e66c9977b4397c8121929efe506e9e Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Fri, 7 Jan 2022 21:07:59 +0530 Subject: [PATCH 2/2] requested changes applied --- src/tests/multihost/ipa/test_misc.py | 24 +--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925 Author: dparmar18 Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5925/head:pr5925 git checkout pr5925 From 38da67e96d5805e1d33f68413a72881fd85c8d4d Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Thu, 16 Dec 2021 20:42:47 +0530 Subject: [PATCH] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode. Explanation - In SSSD the default value for ssh_hash_known_hosts is set to true, It should be changed to false for consistency with the OpenSSH setting that does not hashes host names by default Verifies Issue: https://github.com/SSSD/sssd/issues/5848 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 --- src/tests/multihost/ipa/test_misc.py | 65 1 file changed, 65 insertions(+) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index 2c25cd0b1e..ce797d581e 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost): ' |tail -10') ssh.close() assert 'indicators: 2' in search.stdout_text + +def test_ssh_hash_knownhosts(self, multihost, reset_password, + setup_ipa_client, backupsssdconf): +""" +:title: Current value of ssh_hash_known_hosts causes error in + the default configuration in FIPS mode. +:description: In SSSD the default value for ssh_hash_known_hosts + is set to true, It should be changed to false for consistency with + the OpenSSH setting that does not hashes host names by default +:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 +:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22 +:customerscenario: false +:steps: +1. Stop SSSD +2. Configure SSSD with ssh having default value of + ssh_hash_known_hosts / ssh_hash_known_hosts = True / + ssh_hash_known_hosts = False +3. Remove /var/lib/sss/pubconf/known_hosts file +4. Start SSSD +5. Perform SSH using IPA user +6. Check if hostnames are hashed/unhashed in + /var/lib/sss/pubconf/known_hosts +:expectedresults: +1. Should succeed +2. Should succeed +3. Should succeed +4. Should succeed +5. Should succeed +6. Hostnames should be hashed/unhashed as per the value of + ssh_hash_known_hosts +""" +tools = sssdTools(multihost.client[0]) +server_host = multihost.master[0].sys_hostname +rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts" +view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts" + +def check_hostname_hash(hash_value: str): +# no hash_value or hash_value = True or hash_value = False +multihost.client[0].service_sssd("stop") +if hash_value != "default": +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": hash_value} +tools.sssd_conf(ssh_section, ssh_param, action="update") +multihost.client[0].run_command(rm_known_hosts) +multihost.client[0].service_sssd("start") +cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host +multihost.client[0].run_command(cmd, stdin_text="Secret123", +raiseonerr=False) +known_hosts = multihost.client[0].run_command(view_known_hosts) +if server_host in known_hosts.stdout_text: +flag = 0 # hostname not hashed +else: +flag = 1 # hostname hashed +return flag + +try: +# ssh_hash_known_hosts is not used, default value is False +assert check_hostname_hash("default") == 0, "Hostnames hashed - " \ +"Bugzilla 2014249/2015070" +# ssh_hash_known_hosts = True +assert check_hostname_hash("True") == 1, "Hostnames not hashed" +# ssh_hash_known_hosts = False +assert check_hostname_hash("False") == 0, "Hostnames hashed" +finally: +multihost.client[0].run_command(rm_known_hosts) ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925 Author: dparmar18 Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5925/head:pr5925 git checkout pr5925 From 38da67e96d5805e1d33f68413a72881fd85c8d4d Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Thu, 16 Dec 2021 20:42:47 +0530 Subject: [PATCH 1/2] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode. Explanation - In SSSD the default value for ssh_hash_known_hosts is set to true, It should be changed to false for consistency with the OpenSSH setting that does not hashes host names by default Verifies Issue: https://github.com/SSSD/sssd/issues/5848 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 --- src/tests/multihost/ipa/test_misc.py | 65 1 file changed, 65 insertions(+) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index 2c25cd0b1e..ce797d581e 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost): ' |tail -10') ssh.close() assert 'indicators: 2' in search.stdout_text + +def test_ssh_hash_knownhosts(self, multihost, reset_password, + setup_ipa_client, backupsssdconf): +""" +:title: Current value of ssh_hash_known_hosts causes error in + the default configuration in FIPS mode. +:description: In SSSD the default value for ssh_hash_known_hosts + is set to true, It should be changed to false for consistency with + the OpenSSH setting that does not hashes host names by default +:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 +:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22 +:customerscenario: false +:steps: +1. Stop SSSD +2. Configure SSSD with ssh having default value of + ssh_hash_known_hosts / ssh_hash_known_hosts = True / + ssh_hash_known_hosts = False +3. Remove /var/lib/sss/pubconf/known_hosts file +4. Start SSSD +5. Perform SSH using IPA user +6. Check if hostnames are hashed/unhashed in + /var/lib/sss/pubconf/known_hosts +:expectedresults: +1. Should succeed +2. Should succeed +3. Should succeed +4. Should succeed +5. Should succeed +6. Hostnames should be hashed/unhashed as per the value of + ssh_hash_known_hosts +""" +tools = sssdTools(multihost.client[0]) +server_host = multihost.master[0].sys_hostname +rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts" +view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts" + +def check_hostname_hash(hash_value: str): +# no hash_value or hash_value = True or hash_value = False +multihost.client[0].service_sssd("stop") +if hash_value != "default": +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": hash_value} +tools.sssd_conf(ssh_section, ssh_param, action="update") +multihost.client[0].run_command(rm_known_hosts) +multihost.client[0].service_sssd("start") +cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host +multihost.client[0].run_command(cmd, stdin_text="Secret123", +raiseonerr=False) +known_hosts = multihost.client[0].run_command(view_known_hosts) +if server_host in known_hosts.stdout_text: +flag = 0 # hostname not hashed +else: +flag = 1 # hostname hashed +return flag + +try: +# ssh_hash_known_hosts is not used, default value is False +assert check_hostname_hash("default") == 0, "Hostnames hashed - " \ +"Bugzilla 2014249/2015070" +# ssh_hash_known_hosts = True +assert check_hostname_hash("True") == 1, "Hostnames not hashed" +# ssh_hash_known_hosts = False +assert check_hostname_hash("False") == 0, "Hostnames hashed" +finally: +multihost.client[0].run_command(rm_known_hosts) From cc89fdedf6262fa4b14b559cb9b69005f2685e81 Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Fri, 7 Jan 2022 19:37:33 +0530 Subject: [PATCH 2/2] double quotes instead of single --- src/tests/multihost/ipa/test_misc.py | 22 +++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925 Author: dparmar18 Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5925/head:pr5925 git checkout pr5925 From 38da67e96d5805e1d33f68413a72881fd85c8d4d Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Thu, 16 Dec 2021 20:42:47 +0530 Subject: [PATCH] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode. Explanation - In SSSD the default value for ssh_hash_known_hosts is set to true, It should be changed to false for consistency with the OpenSSH setting that does not hashes host names by default Verifies Issue: https://github.com/SSSD/sssd/issues/5848 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 --- src/tests/multihost/ipa/test_misc.py | 65 1 file changed, 65 insertions(+) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index 2c25cd0b1e..ce797d581e 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost): ' |tail -10') ssh.close() assert 'indicators: 2' in search.stdout_text + +def test_ssh_hash_knownhosts(self, multihost, reset_password, + setup_ipa_client, backupsssdconf): +""" +:title: Current value of ssh_hash_known_hosts causes error in + the default configuration in FIPS mode. +:description: In SSSD the default value for ssh_hash_known_hosts + is set to true, It should be changed to false for consistency with + the OpenSSH setting that does not hashes host names by default +:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 +:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22 +:customerscenario: false +:steps: +1. Stop SSSD +2. Configure SSSD with ssh having default value of + ssh_hash_known_hosts / ssh_hash_known_hosts = True / + ssh_hash_known_hosts = False +3. Remove /var/lib/sss/pubconf/known_hosts file +4. Start SSSD +5. Perform SSH using IPA user +6. Check if hostnames are hashed/unhashed in + /var/lib/sss/pubconf/known_hosts +:expectedresults: +1. Should succeed +2. Should succeed +3. Should succeed +4. Should succeed +5. Should succeed +6. Hostnames should be hashed/unhashed as per the value of + ssh_hash_known_hosts +""" +tools = sssdTools(multihost.client[0]) +server_host = multihost.master[0].sys_hostname +rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts" +view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts" + +def check_hostname_hash(hash_value: str): +# no hash_value or hash_value = True or hash_value = False +multihost.client[0].service_sssd("stop") +if hash_value != "default": +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": hash_value} +tools.sssd_conf(ssh_section, ssh_param, action="update") +multihost.client[0].run_command(rm_known_hosts) +multihost.client[0].service_sssd("start") +cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host +multihost.client[0].run_command(cmd, stdin_text="Secret123", +raiseonerr=False) +known_hosts = multihost.client[0].run_command(view_known_hosts) +if server_host in known_hosts.stdout_text: +flag = 0 # hostname not hashed +else: +flag = 1 # hostname hashed +return flag + +try: +# ssh_hash_known_hosts is not used, default value is False +assert check_hostname_hash("default") == 0, "Hostnames hashed - " \ +"Bugzilla 2014249/2015070" +# ssh_hash_known_hosts = True +assert check_hostname_hash("True") == 1, "Hostnames not hashed" +# ssh_hash_known_hosts = False +assert check_hostname_hash("False") == 0, "Hostnames hashed" +finally: +multihost.client[0].run_command(rm_known_hosts) ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925 Author: dparmar18 Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5925/head:pr5925 git checkout pr5925 From c3f081fe70d8a544d6d7d35770104fb93ce320e9 Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Thu, 16 Dec 2021 20:42:47 +0530 Subject: [PATCH 1/2] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode. Explanation - In SSSD the default value for ssh_hash_known_hosts is set to true, It should be changed to false for consistency with the OpenSSH setting that does not hashes host names by default Verifies Issue: https://github.com/SSSD/sssd/issues/5848 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 --- src/tests/multihost/ipa/test_misc.py | 65 1 file changed, 65 insertions(+) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index 2c25cd0b1e..1f1f7b0da6 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost): ' |tail -10') ssh.close() assert 'indicators: 2' in search.stdout_text + +def test_ssh_hash_knownhosts(self, multihost, reset_password, + setup_ipa_client, backupsssdconf): +""" +:title: Current value of ssh_hash_known_hosts causes error in + the default configuration in FIPS mode. +:description: In SSSD the default value for ssh_hash_known_hosts + is set to true, It should be changed to false for consistency with + the OpenSSH setting that does not hashes host names by default +:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 +:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22 +:customerscenario: false +:steps: +1. Stop SSSD +2. Configure SSSD with ssh having default value of + ssh_hash_known_hosts / ssh_hash_known_hosts = True / + ssh_hash_known_hosts = False +3. Remove /var/lib/sss/pubconf/known_hosts file +4. Start SSSD +5. Perform SSH using IPA user +6. Check if hostnames are hashed/unhashed in + /var/lib/sss/pubconf/known_hosts +:expectedresults: +1. Should succeed +2. Should succeed +3. Should succeed +4. Should succeed +5. Should succeed +6. Hostnames should be hashed/unhashed as per the value of + ssh_hash_known_hosts +""" +tools = sssdTools(multihost.client[0]) +server_host = multihost.master[0].sys_hostname +rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts" +view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts" + +def check_hostname_hash(hash_value: str): +# no hash_value or hash_value = True or hash_value = False +multihost.client[0].service_sssd("stop") +if hash_value != "default": +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": hash_value} +tools.sssd_conf(ssh_section, ssh_param, action="update") +multihost.client[0].run_command(rm_known_hosts) +multihost.client[0].service_sssd("start") +cmd = "ssh -l -q foobar0@%s" % server_host +multihost.client[0].run_command(cmd, stdin_text="Secret123", +raiseonerr=False) +known_hosts = multihost.client[0].run_command(view_known_hosts) +if server_host in known_hosts.stdout_text: +flag = 0 # hostname not hashed +else: +flag = 1 # hostname hashed +return flag + +try: +# ssh_hash_known_hosts is not used, default value is False +assert check_hostname_hash("default") == 0, "Hostnames hashed - " \ +"Bugzilla 2014249/2015070" +# ssh_hash_known_hosts = True +assert check_hostname_hash("True") == 1, "Hostnames not hashed" +# ssh_hash_known_hosts = False +assert check_hostname_hash("False") == 0, "Hostnames hashed" +finally: +multihost.client[0].run_command(rm_known_hosts) From e90117704edb399ce468db03c70f3d5a79182a6b Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Mon, 20 Dec 2021 18:37:53 +0530 Subject: [PATCH 2/2] ssh command modified --- src/tests/multihost/ipa/test_misc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tests/multihost/ipa/test_misc.py
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925 Author: dparmar18 Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5925/head:pr5925 git checkout pr5925 From c3f081fe70d8a544d6d7d35770104fb93ce320e9 Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Thu, 16 Dec 2021 20:42:47 +0530 Subject: [PATCH] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode. Explanation - In SSSD the default value for ssh_hash_known_hosts is set to true, It should be changed to false for consistency with the OpenSSH setting that does not hashes host names by default Verifies Issue: https://github.com/SSSD/sssd/issues/5848 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 --- src/tests/multihost/ipa/test_misc.py | 65 1 file changed, 65 insertions(+) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index 2c25cd0b1e..1f1f7b0da6 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost): ' |tail -10') ssh.close() assert 'indicators: 2' in search.stdout_text + +def test_ssh_hash_knownhosts(self, multihost, reset_password, + setup_ipa_client, backupsssdconf): +""" +:title: Current value of ssh_hash_known_hosts causes error in + the default configuration in FIPS mode. +:description: In SSSD the default value for ssh_hash_known_hosts + is set to true, It should be changed to false for consistency with + the OpenSSH setting that does not hashes host names by default +:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 +:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22 +:customerscenario: false +:steps: +1. Stop SSSD +2. Configure SSSD with ssh having default value of + ssh_hash_known_hosts / ssh_hash_known_hosts = True / + ssh_hash_known_hosts = False +3. Remove /var/lib/sss/pubconf/known_hosts file +4. Start SSSD +5. Perform SSH using IPA user +6. Check if hostnames are hashed/unhashed in + /var/lib/sss/pubconf/known_hosts +:expectedresults: +1. Should succeed +2. Should succeed +3. Should succeed +4. Should succeed +5. Should succeed +6. Hostnames should be hashed/unhashed as per the value of + ssh_hash_known_hosts +""" +tools = sssdTools(multihost.client[0]) +server_host = multihost.master[0].sys_hostname +rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts" +view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts" + +def check_hostname_hash(hash_value: str): +# no hash_value or hash_value = True or hash_value = False +multihost.client[0].service_sssd("stop") +if hash_value != "default": +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": hash_value} +tools.sssd_conf(ssh_section, ssh_param, action="update") +multihost.client[0].run_command(rm_known_hosts) +multihost.client[0].service_sssd("start") +cmd = "ssh -l -q foobar0@%s" % server_host +multihost.client[0].run_command(cmd, stdin_text="Secret123", +raiseonerr=False) +known_hosts = multihost.client[0].run_command(view_known_hosts) +if server_host in known_hosts.stdout_text: +flag = 0 # hostname not hashed +else: +flag = 1 # hostname hashed +return flag + +try: +# ssh_hash_known_hosts is not used, default value is False +assert check_hostname_hash("default") == 0, "Hostnames hashed - " \ +"Bugzilla 2014249/2015070" +# ssh_hash_known_hosts = True +assert check_hostname_hash("True") == 1, "Hostnames not hashed" +# ssh_hash_known_hosts = False +assert check_hostname_hash("False") == 0, "Hostnames hashed" +finally: +multihost.client[0].run_command(rm_known_hosts) ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925 Author: dparmar18 Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5925/head:pr5925 git checkout pr5925 From 117129cc51717ebe80fdc4335b40f5edd2051e04 Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Thu, 16 Dec 2021 20:42:47 +0530 Subject: [PATCH 1/2] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode. Explanation - In SSSD the default value for ssh_hash_known_hosts is set to true, It should be changed to false for consistency with the OpenSSH setting that does not hashes host names by default Verifies Issue: https://github.com/SSSD/sssd/issues/5848 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 --- src/tests/multihost/ipa/test_misc.py | 65 1 file changed, 65 insertions(+) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index 2c25cd0b1e..800bd16878 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost): ' |tail -10') ssh.close() assert 'indicators: 2' in search.stdout_text + +def test_ssh_hash_knownhosts(self, multihost, reset_password, + setup_ipa_client): +""" +:title: Current value of ssh_hash_known_hosts causes error in + the default configuration in FIPS mode. +:description: In SSSD the default value for ssh_hash_known_hosts + is set to true, It should be changed to false for consistency with + the OpenSSH setting that does not hashes host names by default +:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 +:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22 +:customerscenario: false +:steps: +1. Stop SSSD +2. Configure SSSD with ssh having default value of + ssh_hash_known_hosts / ssh_hash_known_hosts = True / + ssh_hash_known_hosts = False +3. Remove /var/lib/sss/pubconf/known_hosts file +4. Start SSSD +5. Perform SSH using IPA user +6. Check if hostnames are hashed/unhashed in + /var/lib/sss/pubconf/known_hosts +:expectedresults: +1. Should succeed +2. Should succeed +3. Should succeed +4. Should succeed +5. Should succeed +6. Hostnames should be hashed/unhashed as per the value of + ssh_hash_known_hosts +""" +tools = sssdTools(multihost.client[0]) +server_host = multihost.master[0].sys_hostname +rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts" +view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts" + +def check_hostname_hash(hash_value: str): +# no hash_value or hash_value = True or hash_value = False +multihost.client[0].service_sssd("stop") +if hash_value != "default": +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": hash_value} +tools.sssd_conf(ssh_section, ssh_param, action="update") +multihost.client[0].run_command(rm_known_hosts) +multihost.client[0].service_sssd("start") +cmd = "ssh -l -q foobar0@%s" % server_host +multihost.client[0].run_command(cmd, stdin_text="Secret123", +raiseonerr=False) +known_hosts = multihost.client[0].run_command(view_known_hosts) +if server_host in known_hosts.stdout_text: +flag = 0 # hostname not hashed +else: +flag = 1 # hostname hashed +return flag + +try: +# ssh_hash_known_hosts is not used, default value is False +assert check_hostname_hash("default") == 0, "Hostnames hashed - " \ +"Bugzilla 2014249/2015070" +# ssh_hash_known_hosts = True +assert check_hostname_hash("True") == 1, "Hostnames not hashed" +# ssh_hash_known_hosts = False +assert check_hostname_hash("False") == 0, "Hostnames hashed" +finally: +multihost.client[0].run_command(rm_known_hosts) From da6a9271fadf7935cc428425f65fc8c2cc508056 Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Mon, 20 Dec 2021 15:04:33 +0530 Subject: [PATCH 2/2] backsssdconf fixture added --- src/tests/multihost/ipa/test_misc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tests/multihost/ipa/test_misc.py
[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
URL: https://github.com/SSSD/sssd/pull/5925 Author: dparmar18 Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5925/head:pr5925 git checkout pr5925 From 117129cc51717ebe80fdc4335b40f5edd2051e04 Mon Sep 17 00:00:00 2001 From: Dhairya Parmar Date: Thu, 16 Dec 2021 20:42:47 +0530 Subject: [PATCH] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode. Explanation - In SSSD the default value for ssh_hash_known_hosts is set to true, It should be changed to false for consistency with the OpenSSH setting that does not hashes host names by default Verifies Issue: https://github.com/SSSD/sssd/issues/5848 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 --- src/tests/multihost/ipa/test_misc.py | 65 1 file changed, 65 insertions(+) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index 2c25cd0b1e..800bd16878 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost): ' |tail -10') ssh.close() assert 'indicators: 2' in search.stdout_text + +def test_ssh_hash_knownhosts(self, multihost, reset_password, + setup_ipa_client): +""" +:title: Current value of ssh_hash_known_hosts causes error in + the default configuration in FIPS mode. +:description: In SSSD the default value for ssh_hash_known_hosts + is set to true, It should be changed to false for consistency with + the OpenSSH setting that does not hashes host names by default +:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249 +:id: 1cee74c8-a0ad-44d4-8287-a32e3266de22 +:customerscenario: false +:steps: +1. Stop SSSD +2. Configure SSSD with ssh having default value of + ssh_hash_known_hosts / ssh_hash_known_hosts = True / + ssh_hash_known_hosts = False +3. Remove /var/lib/sss/pubconf/known_hosts file +4. Start SSSD +5. Perform SSH using IPA user +6. Check if hostnames are hashed/unhashed in + /var/lib/sss/pubconf/known_hosts +:expectedresults: +1. Should succeed +2. Should succeed +3. Should succeed +4. Should succeed +5. Should succeed +6. Hostnames should be hashed/unhashed as per the value of + ssh_hash_known_hosts +""" +tools = sssdTools(multihost.client[0]) +server_host = multihost.master[0].sys_hostname +rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts" +view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts" + +def check_hostname_hash(hash_value: str): +# no hash_value or hash_value = True or hash_value = False +multihost.client[0].service_sssd("stop") +if hash_value != "default": +ssh_section = "ssh" +ssh_param = {"ssh_hash_known_hosts": hash_value} +tools.sssd_conf(ssh_section, ssh_param, action="update") +multihost.client[0].run_command(rm_known_hosts) +multihost.client[0].service_sssd("start") +cmd = "ssh -l -q foobar0@%s" % server_host +multihost.client[0].run_command(cmd, stdin_text="Secret123", +raiseonerr=False) +known_hosts = multihost.client[0].run_command(view_known_hosts) +if server_host in known_hosts.stdout_text: +flag = 0 # hostname not hashed +else: +flag = 1 # hostname hashed +return flag + +try: +# ssh_hash_known_hosts is not used, default value is False +assert check_hostname_hash("default") == 0, "Hostnames hashed - " \ +"Bugzilla 2014249/2015070" +# ssh_hash_known_hosts = True +assert check_hostname_hash("True") == 1, "Hostnames not hashed" +# ssh_hash_known_hosts = False +assert check_hostname_hash("False") == 0, "Hostnames hashed" +finally: +multihost.client[0].run_command(rm_known_hosts) ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: