Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1756432
Description of problem: Apparently by default (ssh_trust_dns option true) we set the HostKeyAlgorithms options for ssh in clients to a very restrictive set "ssh-rsa,ssh-dss". this was done in 2012 to deal with an older version of ssh which did not properly support ecdsa keyex in the SSHFP checking case. However this option ends up disabling all modern key exchanges (SHA-2/EC) and re-enables a key excahnge that is explicitly disabled in FIPS mode (DSA based). The main issue though is that because of these options a RHEL-8 client (also RHEL-7) enrolled in IPA is unable to successfully SSH into a RHEL-8 server in FIPS mode, as there is no common set of algorithms left. This is a high profile issue for any customers that want to use IDm client in a FIPS environment. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Metadata Update from @cheimes: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1756432
sed -i 's/^\(HostKeyAlgorithms ssh-rsa,ssh-dss\)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config
Metadata Update from @cheimes: - Issue assigned to cheimes
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/3887
master:
ipa-4-8:
ipa-4-6:
ipa-4-7:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @fcami: - Custom field affects_doc adjusted to on - Custom field knownissue adjusted to on - Issue set to the milestone: None (was: FreeIPA 4.6.7) - Issue status updated to: Open (was: Closed)
Reopening as CI templates were not edited.
Login to comment on this ticket.