[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode

dparmar18 Fri, 07 Jan 2022 07:38:33 -0800

   URL: https://github.com/SSSD/sssd/pull/5925
Author: dparmar18
 Title: #5925: TEST: Current value of ssh_hash_known_hosts causes error in the 
default configuration in FIPS mode
Action: synchronized


To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5925/head:pr5925
git checkout pr5925

From 38da67e96d5805e1d33f68413a72881fd85c8d4d Mon Sep 17 00:00:00 2001
From: Dhairya Parmar <dpar...@dparmar.pnq.csb>
Date: Thu, 16 Dec 2021 20:42:47 +0530
Subject: [PATCH 1/2] TEST: Current value of ssh_hash_known_hosts causes error
 in the default configuration in FIPS mode.

Explanation
- In SSSD the default value for ssh_hash_known_hosts is set to true,
  It should be changed to false for consistency with the OpenSSH
  setting that does not hashes host names by default

Verifies
  Issue: https://github.com/SSSD/sssd/issues/5848
  Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
---
 src/tests/multihost/ipa/test_misc.py | 65 ++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)

diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index 2c25cd0b1e..ce797d581e 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -303,3 +303,68 @@ def test_authentication_indicators(self, multihost):
                                                  ' |tail -10')
         ssh.close()
         assert 'indicators: 2' in search.stdout_text
+
+    def test_ssh_hash_knownhosts(self, multihost, reset_password,
+                                 setup_ipa_client, backupsssdconf):
+        """
+        :title: Current value of ssh_hash_known_hosts causes error in
+         the default configuration in FIPS mode.
+        :description: In SSSD the default value for ssh_hash_known_hosts
+         is set to true, It should be changed to false for consistency with
+         the OpenSSH setting that does not hashes host names by default
+        :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
+        :id: 1cee74c8-a0ad-44d4-8287-a32e3266de22
+        :customerscenario: false
+        :steps:
+            1. Stop SSSD
+            2. Configure SSSD with ssh having default value of
+               ssh_hash_known_hosts / ssh_hash_known_hosts = True /
+               ssh_hash_known_hosts = False
+            3. Remove /var/lib/sss/pubconf/known_hosts file
+            4. Start SSSD
+            5. Perform SSH using IPA user
+            6. Check if hostnames are hashed/unhashed in
+               /var/lib/sss/pubconf/known_hosts
+        :expectedresults:
+            1. Should succeed
+            2. Should succeed
+            3. Should succeed
+            4. Should succeed
+            5. Should succeed
+            6. Hostnames should be hashed/unhashed as per the value of
+               ssh_hash_known_hosts
+        """
+        tools = sssdTools(multihost.client[0])
+        server_host = multihost.master[0].sys_hostname
+        rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts"
+        view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts"
+
+        def check_hostname_hash(hash_value: str):
+            #  no hash_value or hash_value = True or hash_value = False
+            multihost.client[0].service_sssd("stop")
+            if hash_value != "default":
+                ssh_section = "ssh"
+                ssh_param = {"ssh_hash_known_hosts": hash_value}
+                tools.sssd_conf(ssh_section, ssh_param, action="update")
+            multihost.client[0].run_command(rm_known_hosts)
+            multihost.client[0].service_sssd("start")
+            cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host
+            multihost.client[0].run_command(cmd, stdin_text="Secret123",
+                                            raiseonerr=False)
+            known_hosts = multihost.client[0].run_command(view_known_hosts)
+            if server_host in known_hosts.stdout_text:
+                flag = 0  # hostname not hashed
+            else:
+                flag = 1  # hostname hashed
+            return flag
+
+        try:
+            # ssh_hash_known_hosts is not used, default value is False
+            assert check_hostname_hash("default") == 0, "Hostnames hashed - " \
+                                                    "Bugzilla 2014249/2015070"
+            # ssh_hash_known_hosts = True
+            assert check_hostname_hash("True") == 1, "Hostnames not hashed"
+            # ssh_hash_known_hosts = False
+            assert check_hostname_hash("False") == 0, "Hostnames hashed"
+        finally:
+            multihost.client[0].run_command(rm_known_hosts)

From ce2e1b2f90e66c9977b4397c8121929efe506e9e Mon Sep 17 00:00:00 2001
From: Dhairya Parmar <dpar...@dparmar.pnq.csb>
Date: Fri, 7 Jan 2022 21:07:59 +0530
Subject: [PATCH 2/2] requested changes applied

---
 src/tests/multihost/ipa/test_misc.py | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index ce797d581e..d2561b845a 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -336,19 +336,35 @@ def test_ssh_hash_knownhosts(self, multihost, reset_password,
         """
         tools = sssdTools(multihost.client[0])
         server_host = multihost.master[0].sys_hostname
+        rm_host_keys = "rm -rf /tmp/ssh_host0003_rsa*"
         rm_known_hosts = "rm -rf /var/lib/sss/pubconf/known_hosts"
         view_known_hosts = "cat /var/lib/sss/pubconf/known_hosts"
+        # adding host to IPA server
+        multihost.master[0].run_command(r"ssh-keygen -q -t rsa -N '' -C '' -f /tmp/ssh_host0003_rsa")
+        multihost.master[0].run_command("ipa host-mod %s --sshpubkey="
+                                        "\"$(cat /tmp/ssh_host0003_rsa.pub)\" "
+                                        "--updatedns"
+                                        % multihost.client[0].sys_hostname)
 
-        def check_hostname_hash(hash_value: str):
+        def check_hostname_hash(hash_value=None):
             #  no hash_value or hash_value = True or hash_value = False
             multihost.client[0].service_sssd("stop")
-            if hash_value != "default":
+            if hash_value is None:
+                sssd_conf_cmd = multihost.client[0].\
+                    run_command("cat /etc/sssd/sssd.conf")
+                sssd_conf = str(sssd_conf_cmd.stdout_text).strip()
+                if "ssh_hash_known_hosts" in sssd_conf:
+                    ssh_section = "ssh"
+                    ssh_param = {"ssh_hash_known_hosts": ""}
+                    tools.sssd_conf(ssh_section, ssh_param, action="delete")
+            if hash_value is not None:
                 ssh_section = "ssh"
                 ssh_param = {"ssh_hash_known_hosts": hash_value}
                 tools.sssd_conf(ssh_section, ssh_param, action="update")
             multihost.client[0].run_command(rm_known_hosts)
             multihost.client[0].service_sssd("start")
             cmd = "ssh -l -q foobar0@%s echo 'login successful'" % server_host
+            # key added when performing SSH
             multihost.client[0].run_command(cmd, stdin_text="Secret123",
                                             raiseonerr=False)
             known_hosts = multihost.client[0].run_command(view_known_hosts)
@@ -360,7 +376,7 @@ def check_hostname_hash(hash_value: str):
 
         try:
             # ssh_hash_known_hosts is not used, default value is False
-            assert check_hostname_hash("default") == 0, "Hostnames hashed - " \
+            assert check_hostname_hash() == 0, "Hostnames hashed - " \
                                                     "Bugzilla 2014249/2015070"
             # ssh_hash_known_hosts = True
             assert check_hostname_hash("True") == 1, "Hostnames not hashed"
@@ -368,3 +384,5 @@ def check_hostname_hash(hash_value: str):
             assert check_hostname_hash("False") == 0, "Hostnames hashed"
         finally:
             multihost.client[0].run_command(rm_known_hosts)
+            multihost.master[0].run_command(rm_host_keys)
+

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5925][synchronized] TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode

Reply via email to