Public bug reported: [impact]
when in FIPS mode, MD5 is not allowed; however in pamsshagentauth_check_authkeys_file(), if a key match is found for a key is found, its MD5 fingerprint is generated in order to log the fingerprint. Unfortunately that calls into pamsshagentauth_key_fingerprint_raw() which uses openssl EVP_* functions for the fingerprint creation, but without any kind of error checking. The call to EVP_DigestInit() fails because openssl is in FIPS mode and disallows MD5, but the result isn't checked, and the following call to EVP_DigestUpdate() results in openssl attempting to call ctx->update(), although ctx->update is null. [test case] set up a system in FIPS mode with FIPS openssl, install pam-ssh-agent-auth and configure per: https://blog.heinzl.dev/use-public-key-to-prevent-sudo-passwor Then ssh to the system, making sure to use -A to pass the local ssh- agent along, and also ssh to an account that does not have NOPASSWD sudo enabled. Then run 'sudo -i', which will segfault. [regression potential] TBD [scope] the use of MD5 fingerprint is still in upstream code, so this may need to be fixed there and in all releases. alternately, a FIPS-compliant package could be created. [other info] the openssl FIPS addition that causes this is: #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif so pam-ssh-agent-auth could set either flag to force openssl to allow this use of MD5; however the pam-ssh-agent-auth code that calls into openssl doesn't know what the md5 is going to be used for, so it may be more complex, and probably is much simpler just to stop using MD5 for the logged fingerprint. ** Affects: pam-ssh-agent-auth (Ubuntu) Importance: Undecided Status: New ** Affects: pam-ssh-agent-auth (Ubuntu Bionic) Importance: Undecided Status: New ** Affects: pam-ssh-agent-auth (Ubuntu Focal) Importance: Undecided Status: New ** Affects: pam-ssh-agent-auth (Ubuntu Impish) Importance: Undecided Status: New ** Affects: pam-ssh-agent-auth (Ubuntu Jammy) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964486 Title: crash when in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-ssh-agent-auth/+bug/1964486/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs