yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #91781
[Bug 2017761] [NEW] util.py[WARNING]: Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key in FIPS enforcing mode
Public bug reported:
With fips enabled, cloud-init has warning log about "Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key".
According to doc(https://access.redhat.com/solutions/3643252), ed25519 key is not supported under fips mode, so I am suggesting cloudinit do not try to generate such key type under fips mode.
2023-04-17 03:46:38,665 - util.py[DEBUG]: Restoring selinux mode for /etc/ssh (recursive=True)
2023-04-17 03:46:38,672 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t', 'ed25519', '-N', '', '-f', '/etc/ssh/ssh_host_ed25519_key'] with allowed return codes [0] (shell=False, capture=True)
2023-04-17 03:46:38,721 - util.py[WARNING]: Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key
2023-04-17 03:46:38,722 - util.py[DEBUG]: Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/cloudinit/config/cc_ssh.py", line 256, in handle
out, err = subp.subp(cmd, capture=True, env=lang_c)
File "/usr/lib/python3.9/site-packages/cloudinit/subp.py", line 332, in subp
raise ProcessExecutionError(
cloudinit.subp.ProcessExecutionError: Unexpected error while running command.
Command: ['ssh-keygen', '-t', 'ed25519', '-N', '', '-f', '/etc/ssh/ssh_host_ed25519_key']
Exit code: 255
Reason: -
Stdout:
Stderr: ED25519 keys are not allowed in FIPS mode
2023-04-17 03:46:38,723 - util.py[DEBUG]: Restoring selinux mode for /etc/ssh (recursive=True)
2023-04-17 03:46:38,727 - util.py[DEBUG]: Reading from /etc/ssh/ssh_host_rsa_key.pub (quiet=False)
This issue is seen on RHEL 9.1 but can be reproduced on other versions of RHEL. The warning is introduced in ssh-keygen with the following Fedora 26 patch : https://src.fedoraproject.org/rpms/openssh/blob/f26/f/openssh-7.2p1-fips.patch and the following commit:
commit 9dbec70c9c30350a9268be62be4df3c55a93f23e
Author: Jakub Jelen <jjelen@xxxxxxxxxx>
Date: Fri Jun 30 12:18:02 2017 +0200
Sync FIPS patch with RHEL
so it has been for a while but it's a valid warning.
Steps to Reproduce:
Manual:
1. Boot into an RHEL-9.1 system with fips enabled
2. Try to clean and init cloud-init again
$ sudo cloud-init clean
$ sudo cloud-init init
cloud-init needs to check fips mode and not generate those keys that are
not valid when fips is enabled.
** Affects: cloud-init
Importance: Undecided
Assignee: Anirban Sinha (anisinha)
Status: New
** Changed in: cloud-init
Assignee: (unassigned) => Anirban Sinha (anisinha)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/2017761
Title:
util.py[WARNING]: Failed generating key type ed25519 to file
/etc/ssh/ssh_host_ed25519_key in FIPS enforcing mode
Status in cloud-init:
New
Bug description:
With fips enabled, cloud-init has warning log about "Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key".
According to doc(https://access.redhat.com/solutions/3643252), ed25519 key is not supported under fips mode, so I am suggesting cloudinit do not try to generate such key type under fips mode.
2023-04-17 03:46:38,665 - util.py[DEBUG]: Restoring selinux mode for /etc/ssh (recursive=True)
2023-04-17 03:46:38,672 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t', 'ed25519', '-N', '', '-f', '/etc/ssh/ssh_host_ed25519_key'] with allowed return codes [0] (shell=False, capture=True)
2023-04-17 03:46:38,721 - util.py[WARNING]: Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key
2023-04-17 03:46:38,722 - util.py[DEBUG]: Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/cloudinit/config/cc_ssh.py", line 256, in handle
out, err = subp.subp(cmd, capture=True, env=lang_c)
File "/usr/lib/python3.9/site-packages/cloudinit/subp.py", line 332, in subp
raise ProcessExecutionError(
cloudinit.subp.ProcessExecutionError: Unexpected error while running command.
Command: ['ssh-keygen', '-t', 'ed25519', '-N', '', '-f', '/etc/ssh/ssh_host_ed25519_key']
Exit code: 255
Reason: -
Stdout:
Stderr: ED25519 keys are not allowed in FIPS mode
2023-04-17 03:46:38,723 - util.py[DEBUG]: Restoring selinux mode for /etc/ssh (recursive=True)
2023-04-17 03:46:38,727 - util.py[DEBUG]: Reading from /etc/ssh/ssh_host_rsa_key.pub (quiet=False)
This issue is seen on RHEL 9.1 but can be reproduced on other versions of RHEL. The warning is introduced in ssh-keygen with the following Fedora 26 patch : https://src.fedoraproject.org/rpms/openssh/blob/f26/f/openssh-7.2p1-fips.patch and the following commit:
commit 9dbec70c9c30350a9268be62be4df3c55a93f23e
Author: Jakub Jelen <jjelen@xxxxxxxxxx>
Date: Fri Jun 30 12:18:02 2017 +0200
Sync FIPS patch with RHEL
so it has been for a while but it's a valid warning.
Steps to Reproduce:
Manual:
1. Boot into an RHEL-9.1 system with fips enabled
2. Try to clean and init cloud-init again
$ sudo cloud-init clean
$ sudo cloud-init init
cloud-init needs to check fips mode and not generate those keys that
are not valid when fips is enabled.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/2017761/+subscriptions