Public bug reported:
With fips enabled, cloud-init has warning log about "Failed generating key
type ed25519 to file /etc/ssh/ssh_host_ed25519_key".
According to doc(https://access.redhat.com/solutions/3643252), ed25519 key is
not supported under fips mode, so I am suggesting cloudinit do not try to
generate such key type under fips mode.
2023-04-17 03:46:38,665 - util.py[DEBUG]: Restoring selinux mode for /etc/ssh
(recursive=True)
2023-04-17 03:46:38,672 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t',
'ed25519', '-N', '', '-f', '/etc/ssh/ssh_host_ed25519_key'] with allowed return
codes [0] (shell=False, capture=True)
2023-04-17 03:46:38,721 - util.py[WARNING]: Failed generating key type ed25519
to file /etc/ssh/ssh_host_ed25519_key
2023-04-17 03:46:38,722 - util.py[DEBUG]: Failed generating key type ed25519 to
file /etc/ssh/ssh_host_ed25519_key
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/cloudinit/config/cc_ssh.py", line 256,
in handle
out, err = subp.subp(cmd, capture=True, env=lang_c)
File "/usr/lib/python3.9/site-packages/cloudinit/subp.py", line 332, in subp
raise ProcessExecutionError(
cloudinit.subp.ProcessExecutionError: Unexpected error while running command.
Command: ['ssh-keygen', '-t', 'ed25519', '-N', '', '-f',
'/etc/ssh/ssh_host_ed25519_key']
Exit code: 255
Reason: -
Stdout:
Stderr: ED25519 keys are not allowed in FIPS mode
2023-04-17 03:46:38,723 - util.py[DEBUG]: Restoring selinux mode for /etc/ssh
(recursive=True)
2023-04-17 03:46:38,727 - util.py[DEBUG]: Reading from
/etc/ssh/ssh_host_rsa_key.pub (quiet=False)
This issue is seen on RHEL 9.1 but can be reproduced on other versions of RHEL.
The warning is introduced in ssh-keygen with the following Fedora 26 patch :
https://src.fedoraproject.org/rpms/openssh/blob/f26/f/openssh-7.2p1-fips.patch
and the following commit:
commit 9dbec70c9c30350a9268be62be4df3c55a93f23e
Author: Jakub Jelen <[email protected]>
Date: Fri Jun 30 12:18:02 2017 +0200
Sync FIPS patch with RHEL
so it has been for a while but it's a valid warning.
Steps to Reproduce:
Manual:
1. Boot into an RHEL-9.1 system with fips enabled
2. Try to clean and init cloud-init again
$ sudo cloud-init clean
$ sudo cloud-init init
cloud-init needs to check fips mode and not generate those keys that are
not valid when fips is enabled.
** Affects: cloud-init
Importance: Undecided
Assignee: Anirban Sinha (anisinha)
Status: New
** Changed in: cloud-init
Assignee: (unassigned) => Anirban Sinha (anisinha)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/2017761
Title:
util.py[WARNING]: Failed generating key type ed25519 to file
/etc/ssh/ssh_host_ed25519_key in FIPS enforcing mode
Status in cloud-init:
New
Bug description:
With fips enabled, cloud-init has warning log about "Failed generating key
type ed25519 to file /etc/ssh/ssh_host_ed25519_key".
According to doc(https://access.redhat.com/solutions/3643252), ed25519 key is
not supported under fips mode, so I am suggesting cloudinit do not try to
generate such key type under fips mode.
2023-04-17 03:46:38,665 - util.py[DEBUG]: Restoring selinux mode for /etc/ssh
(recursive=True)
2023-04-17 03:46:38,672 - subp.py[DEBUG]: Running command ['ssh-keygen',
'-t', 'ed25519', '-N', '', '-f', '/etc/ssh/ssh_host_ed25519_key'] with allowed
return codes [0] (shell=False, capture=True)
2023-04-17 03:46:38,721 - util.py[WARNING]: Failed generating key type
ed25519 to file /etc/ssh/ssh_host_ed25519_key
2023-04-17 03:46:38,722 - util.py[DEBUG]: Failed generating key type ed25519
to file /etc/ssh/ssh_host_ed25519_key
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/cloudinit/config/cc_ssh.py", line
256, in handle
out, err = subp.subp(cmd, capture=True, env=lang_c)
File "/usr/lib/python3.9/site-packages/cloudinit/subp.py", line 332, in subp
raise ProcessExecutionError(
cloudinit.subp.ProcessExecutionError: Unexpected error while running command.
Command: ['ssh-keygen', '-t', 'ed25519', '-N', '', '-f',
'/etc/ssh/ssh_host_ed25519_key']
Exit code: 255
Reason: -
Stdout:
Stderr: ED25519 keys are not allowed in FIPS mode
2023-04-17 03:46:38,723 - util.py[DEBUG]: Restoring selinux mode for /etc/ssh
(recursive=True)
2023-04-17 03:46:38,727 - util.py[DEBUG]: Reading from
/etc/ssh/ssh_host_rsa_key.pub (quiet=False)
This issue is seen on RHEL 9.1 but can be reproduced on other versions of
RHEL. The warning is introduced in ssh-keygen with the following Fedora 26
patch :
https://src.fedoraproject.org/rpms/openssh/blob/f26/f/openssh-7.2p1-fips.patch
and the following commit:
commit 9dbec70c9c30350a9268be62be4df3c55a93f23e
Author: Jakub Jelen <[email protected]>
Date: Fri Jun 30 12:18:02 2017 +0200
Sync FIPS patch with RHEL
so it has been for a while but it's a valid warning.
Steps to Reproduce:
Manual:
1. Boot into an RHEL-9.1 system with fips enabled
2. Try to clean and init cloud-init again
$ sudo cloud-init clean
$ sudo cloud-init init
cloud-init needs to check fips mode and not generate those keys that
are not valid when fips is enabled.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/2017761/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
