Public bug reported:
On a FIPS Enabled Ubuntu 22.04 kernel, we are seeing an issue with self-ssh.
We created a key with the following steps:
touch /home/core/.ssh/known_hosts
ssh-keygen -q -t rsa -f /home/core/.ssh/id_rsa -N '' > /dev/null
cp /home/core/.ssh/id_rsa.pub /home/core/.ssh/authorized_keys
chmod 0600 /home/core/.ssh/id_rsa
chmod 0600 /home/core/.ssh/authorized_keys
When we try to do a self ssh with the key, the following happens:
ssh -i .ssh/id_rsa onprem_shell@10.14.169.25
Connection closed by 10.14.169.25 port 22
FIPS status:
cat /proc/sys/crypto/fips_enabled
1
PFB, the ssh dump:
ssh -v user@10.14.169.25
OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf
matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: FIPS mode initialized
debug1: Connecting to 10.14.169.25 [10.14.169.25] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1
Ubuntu-3ubuntu0.6+Fips1
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1 pat
OpenSSH* compat 0x04000000
debug1: Authenticating to 10.14.169.25:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by 10.14.169.25 port 22
hostname -i
10.14.169.25
Please note that SSH onto other hosts (both FIPS and non-FIPS) works.
The only workaround that we have found has been removing the ssh-rsa
entry from “HostKeyAlgorithms” in “etc/ssh/sshd_config” and restarting
the SSH service. This issue has neither been encountered in the Ubuntu
18.04 FIPS nor Ubuntu 20.04 FIPS.
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
On a FIPS Enabled Ubuntu 22.04 kernel, we are seeing an issue with self-ssh.
We created a key with the following steps:
touch /home/core/.ssh/known_hosts
- ssh-keygen -q -t rsa -f /home/core/.ssh/id_rsa -N '' > /dev/null
- cp /home/core/.ssh/id_rsa.pub /home/core/.ssh/authorized_keys
- chmod 0600 /home/core/.ssh/id_rsa
- chmod 0600 /home/core/.ssh/authorized_keys
-
+ ssh-keygen -q -t rsa -f /home/core/.ssh/id_rsa -N '' > /dev/null
+ cp /home/core/.ssh/id_rsa.pub /home/core/.ssh/authorized_keys
+ chmod 0600 /home/core/.ssh/id_rsa
+ chmod 0600 /home/core/.ssh/authorized_keys
+
When we try to do a self ssh with the key, the following happens:
ssh -i .ssh/id_rsa onprem_shell@10.14.169.25
Connection closed by 10.14.169.25 port 22
-
+
FIPS status:
cat /proc/sys/crypto/fips_enabled
1
-
+
PFB, the ssh dump:
-
+
ssh -v user@10.14.169.25
OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf
matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: FIPS mode initialized
debug1: Connecting to 10.14.169.25 [10.14.169.25] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1
Ubuntu-3ubuntu0.6+Fips1
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1 pat
OpenSSH* compat 0x04000000
- debug1: Authenticating to 10.14.169.25:22 as 'onprem_shell'
+ debug1: Authenticating to 10.14.169.25:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression:
none
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression:
none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by 10.14.169.25 port 22
-
+
hostname -i
10.14.169.25
-
- Please note that SSH onto other hosts (both FIPS and non-FIPS) works. The
only workaround that we have found has been removing the ssh-rsa entry from
“HostKeyAlgorithms” in “etc/ssh/sshd_config” and restarting the SSH service.
This issue has neither been encountered in the Ubuntu 18.04 FIPS nor Ubuntu
20.04 FIPS.
+
+ Please note that SSH onto other hosts (both FIPS and non-FIPS) works.
+ The only workaround that we have found has been removing the ssh-rsa
+ entry from “HostKeyAlgorithms” in “etc/ssh/sshd_config” and restarting
+ the SSH service. This issue has neither been encountered in the Ubuntu
+ 18.04 FIPS nor Ubuntu 20.04 FIPS.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059367
Title:
SSH-RSA not supported for Self-SSH in Ubuntu 22.04 FIPS
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2059367/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
