← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2017761] [NEW] util.py[WARNING]: Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key in FIPS enforcing mode

 

Public bug reported:

With fips enabled, cloud-init has warning log about  "Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key".
According to doc(https://access.redhat.com/solutions/3643252), ed25519 key is not supported under fips mode, so I am suggesting cloudinit do not try to generate such key type under fips mode.

2023-04-17 03:46:38,665 - util.py[DEBUG]: Restoring selinux mode for /etc/ssh (recursive=True)
2023-04-17 03:46:38,672 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t', 'ed25519', '-N', '', '-f', '/etc/ssh/ssh_host_ed25519_key'] with allowed return codes [0] (shell=False, capture=True)
2023-04-17 03:46:38,721 - util.py[WARNING]: Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key
2023-04-17 03:46:38,722 - util.py[DEBUG]: Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/cloudinit/config/cc_ssh.py", line 256, in handle
    out, err = subp.subp(cmd, capture=True, env=lang_c)
  File "/usr/lib/python3.9/site-packages/cloudinit/subp.py", line 332, in subp
    raise ProcessExecutionError(
cloudinit.subp.ProcessExecutionError: Unexpected error while running command.
Command: ['ssh-keygen', '-t', 'ed25519', '-N', '', '-f', '/etc/ssh/ssh_host_ed25519_key']
Exit code: 255
Reason: -
Stdout:
Stderr: ED25519 keys are not allowed in FIPS mode
2023-04-17 03:46:38,723 - util.py[DEBUG]: Restoring selinux mode for /etc/ssh (recursive=True)
2023-04-17 03:46:38,727 - util.py[DEBUG]: Reading from /etc/ssh/ssh_host_rsa_key.pub (quiet=False)


This issue is seen on RHEL 9.1 but can be reproduced on other versions of RHEL. The warning is introduced in ssh-keygen with the following Fedora 26 patch : https://src.fedoraproject.org/rpms/openssh/blob/f26/f/openssh-7.2p1-fips.patch and the following commit:

commit 9dbec70c9c30350a9268be62be4df3c55a93f23e
Author: Jakub Jelen <jjelen@xxxxxxxxxx>
Date:   Fri Jun 30 12:18:02 2017 +0200

    Sync FIPS patch with RHEL

so it has been for a while but it's a valid warning.


Steps to Reproduce:
Manual:
1. Boot into an RHEL-9.1 system with fips enabled
2. Try to clean and init cloud-init again
$ sudo cloud-init clean
$ sudo cloud-init init

cloud-init needs to check fips mode and not generate those keys that are
not valid when fips is enabled.

** Affects: cloud-init
     Importance: Undecided
     Assignee: Anirban Sinha (anisinha)
         Status: New

** Changed in: cloud-init
     Assignee: (unassigned) => Anirban Sinha (anisinha)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/2017761

Title:
  util.py[WARNING]: Failed generating key type ed25519 to file
  /etc/ssh/ssh_host_ed25519_key in FIPS enforcing mode

Status in cloud-init:
  New

Bug description:
  With fips enabled, cloud-init has warning log about  "Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key".
  According to doc(https://access.redhat.com/solutions/3643252), ed25519 key is not supported under fips mode, so I am suggesting cloudinit do not try to generate such key type under fips mode.

  2023-04-17 03:46:38,665 - util.py[DEBUG]: Restoring selinux mode for /etc/ssh (recursive=True)
  2023-04-17 03:46:38,672 - subp.py[DEBUG]: Running command ['ssh-keygen', '-t', 'ed25519', '-N', '', '-f', '/etc/ssh/ssh_host_ed25519_key'] with allowed return codes [0] (shell=False, capture=True)
  2023-04-17 03:46:38,721 - util.py[WARNING]: Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key
  2023-04-17 03:46:38,722 - util.py[DEBUG]: Failed generating key type ed25519 to file /etc/ssh/ssh_host_ed25519_key
  Traceback (most recent call last):
    File "/usr/lib/python3.9/site-packages/cloudinit/config/cc_ssh.py", line 256, in handle
      out, err = subp.subp(cmd, capture=True, env=lang_c)
    File "/usr/lib/python3.9/site-packages/cloudinit/subp.py", line 332, in subp
      raise ProcessExecutionError(
  cloudinit.subp.ProcessExecutionError: Unexpected error while running command.
  Command: ['ssh-keygen', '-t', 'ed25519', '-N', '', '-f', '/etc/ssh/ssh_host_ed25519_key']
  Exit code: 255
  Reason: -
  Stdout:
  Stderr: ED25519 keys are not allowed in FIPS mode
  2023-04-17 03:46:38,723 - util.py[DEBUG]: Restoring selinux mode for /etc/ssh (recursive=True)
  2023-04-17 03:46:38,727 - util.py[DEBUG]: Reading from /etc/ssh/ssh_host_rsa_key.pub (quiet=False)

  
  This issue is seen on RHEL 9.1 but can be reproduced on other versions of RHEL. The warning is introduced in ssh-keygen with the following Fedora 26 patch : https://src.fedoraproject.org/rpms/openssh/blob/f26/f/openssh-7.2p1-fips.patch and the following commit:

  commit 9dbec70c9c30350a9268be62be4df3c55a93f23e
  Author: Jakub Jelen <jjelen@xxxxxxxxxx>
  Date:   Fri Jun 30 12:18:02 2017 +0200

      Sync FIPS patch with RHEL

  so it has been for a while but it's a valid warning.

  
  Steps to Reproduce:
  Manual:
  1. Boot into an RHEL-9.1 system with fips enabled
  2. Try to clean and init cloud-init again
  $ sudo cloud-init clean
  $ sudo cloud-init init

  cloud-init needs to check fips mode and not generate those keys that
  are not valid when fips is enabled.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/2017761/+subscriptions