Did some more debugging. When we try to connect to a server that is FIPS 140-2 compliant, here’s what the algorithms that are expected are:
When I try to connect via a Guacamole SSH session, here are the algorithms being sent: debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se debug2: MACs ctos: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com debug2: MACs stoc: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com Jan 24 14:42:38 carts sshd[6890]: FIPS mode initialized Jan 24 14:42:38 carts sshd[6890]: Unable to negotiate with 172.26.170.72 port 57948: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth] Looks like, to me, that Guacamole isn’t sending the proper algorithms or ciphers in its SSH request. Not sure if the issue is in Guacamole itself or in libssh2, which is 1.4.3 at the moment. Thanks, Harry From: Devine, Harry (FAA) Sent: Wednesday, January 24, 2018 1:04 PM To: user@guacamole.apache.org Subject: RE: Connection failures We had a fully patched RHEL 7.4 server, and ran the following commands on it (based on the article found here, which requires a Red Hat account to look at: https://access.redhat.com/solutions/137833 ): yum install dracut-fips grep -qw aes /proc/cpuinfo && echo YES || echo no # If the above grep returns YES: yum install dracut-fips-aesni rpm -q prelink mv -v /boot/initramfs-$(uname -r).img{,.bak} dracut grubby --update-kernel=$(grubby --default-kernel) --args=fips=1 uuid=$(findmnt -no uuid /boot) echo $uuid [[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel) --args=boot=UUID=${uuid} reboot sysctl crypto.fips_enabled sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ fips=1"/' /etc/default/grub uuid=$(findmnt -no uuid /boot) echo $uuid [[ -n $uuid ]] && sed -i "/^GRUB_CMDLINE_LINUX=/s/\"$/ boot=UUID=${uuid}\"/" /etc/default/grub reboot Thanks, Harry From: Nick Couchman [mailto:vn...@apache.org] Sent: Wednesday, January 24, 2018 11:54 AM To: user@guacamole.apache.org<mailto:user@guacamole.apache.org> Subject: Re: Connection failures On Wed, Jan 24, 2018 at 10:55 AM, <harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote: As a test, I made a new Guacamole connection to a server that we did NOT make FIPS 140-2 compliant yet, and was able to get right in. So the FIPS 140-2 is definitely the issue. So I need to know if there’s something in guacamole 0.9.13 that I need to tweak, or libssh2. I’m not sure if I can update libssh2 to a newer version, as 1.4.3 is the latest available in the RHEL 7.4 patch trail. Can you remind/post the changes made to make the SSH server FIPS 140-2 compliant? You may have already posted it, so apologies if that's a repeat, but I can try to reproduce and see what happens. I do not believe there is anything in Guacamole specifically that deals with this, it should all be in libssh2, but we can take a look. -Nick
