We had a fully patched RHEL 7.4 server, and ran the following commands on it
(based on the article found here, which requires a Red Hat account to look at:
https://access.redhat.com/solutions/137833 ):
yum install dracut-fips
grep -qw aes /proc/cpuinfo && echo YES || echo no
# If the above grep returns YES: yum install dracut-fips-aesni
rpm -q prelink
mv -v /boot/initramfs-$(uname -r).img{,.bak}
dracut
grubby --update-kernel=$(grubby --default-kernel) --args=fips=1
uuid=$(findmnt -no uuid /boot)
echo $uuid
[[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel)
--args=boot=UUID=${uuid}
reboot
sysctl crypto.fips_enabled
sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ fips=1"/' /etc/default/grub
uuid=$(findmnt -no uuid /boot)
echo $uuid
[[ -n $uuid ]] && sed -i "/^GRUB_CMDLINE_LINUX=/s/\"$/ boot=UUID=${uuid}\"/"
/etc/default/grub
reboot
Thanks,
Harry
From: Nick Couchman [mailto:vn...@apache.org]
Sent: Wednesday, January 24, 2018 11:54 AM
To: user@guacamole.apache.org
Subject: Re: Connection failures
On Wed, Jan 24, 2018 at 10:55 AM,
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
As a test, I made a new Guacamole connection to a server that we did NOT make
FIPS 140-2 compliant yet, and was able to get right in. So the FIPS 140-2 is
definitely the issue. So I need to know if there’s something in guacamole
0.9.13 that I need to tweak, or libssh2. I’m not sure if I can update libssh2
to a newer version, as 1.4.3 is the latest available in the RHEL 7.4 patch
trail.
Can you remind/post the changes made to make the SSH server FIPS 140-2
compliant? You may have already posted it, so apologies if that's a repeat,
but I can try to reproduce and see what happens.
I do not believe there is anything in Guacamole specifically that deals with
this, it should all be in libssh2, but we can take a look.
-Nick
