Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1938224

Summary: GSS KEX broken beginning with GSI-OpenSSH 8.0p1
Product: [Fedora] Fedora EPEL Reporter: Frank Scheiner <scheiner>
Component: gsi-opensshAssignee: Mattias Ellert <mattias.ellert>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: epel8CC: mattias.ellert
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: gsi-openssh-8.5p1-1.fc34 gsi-openssh-8.3p1-5.fc32 gsi-openssh-8.4p1-6.fc33 gsi-openssh-8.0p1-7.el8 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-21 00:21:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frank Scheiner 2021-03-12 14:16:04 UTC 
Description of problem:

As per [1] GSI authentication is non-functional since GSI-OpenSSH 8.0p1 because the GSS key exchange functionality is broken for GSI since this version, the SHA1 based GSS group exchange functionality is still working, though. This was confirmed on x86_64 but should affaect all other architectures, too.

[1]: https://github.com/openssh-gsskex/openssh-gsskex/issues/18

Version-Release number of selected component (if applicable):

8.0p1-6.el8

How reproducible:

always

Steps to Reproduce:

Install [gsi-openssh-8.0p1-6.el8] server and clients. Configure `gsisshd` to listen on TCP port `2222`. Configure GSI (host cert and key, grid-mapfile) and create a GSI proxy certificate. Also install the test script from https://gist.github.com/fscheiner/92ea125c72cd70283a712585206c1015 which starts a `gsisshd` and tries to connect and authenticate via GSI to this GSI-OpenSSH server instance with `gsissh`.

[gsi-openssh-8.0p1-6.el8]: https://kojipkgs.fedoraproject.org//packages/gsi-openssh/8.0p1/6.el8/x86_64/

```
[johndoe@host ~]$ sudo bin/test-gss-kex-for-gsi-openssh.bash host.domain.tld johndoe2
```

Actual results:

Only GSS GEX method `gss-gex-sha1-` is working:

```
gsisshd: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS  28 May 2019
gsissh: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS  28 May 2019

Wait 3 seconds for startup of gsisshd ...

gss-gex-sha1- OK
gss-group1-sha1- Error
gss-group14-sha256- Error
gss-nistp256-sha256- Error
gss-curve25519-sha256- Error
gss-group16-sha512- Error

[johndoe@host ~]$ yum info gsi-openssh
[...]
Installed Packages
Name         : gsi-openssh
Version      : 8.0p1
Release      : 6.el8
Architecture : x86_64
Size         : 1.9 M
Source       : gsi-openssh-8.0p1-6.el8.src.rpm
[...]

```

Expected results:

All GSS KEX/GEX methods (`gss-group1-sha1-`,`gss-group14-sha1-`,`gss-group14-sha256-`,`gss-group16-sha512-`,`gss-nistp256-sha256-`,`gss-curve25519-sha256-`,`gss-gex-sha1-`) are working:

```
gsisshd: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS  28 May 2019
gsissh: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS  28 May 2019

Wait 3 seconds for startup of gsisshd ...

gss-gex-sha1- OK
gss-group1-sha1- OK
gss-group14-sha256- OK
gss-nistp256-sha256- OK
gss-curve25519-sha256- OK
gss-group16-sha512- OK
```

Additional info:

A fix based on [openssh-gsskex/openssh-gsskex#19] is available from here:

https://gist.github.com/fscheiner/ec430514b28e4dad24516c66939a8945

[openssh-gsskex/openssh-gsskex#19]: https://github.com/openssh-gsskex/openssh-gsskex/pull/19
Comment 1 Fedora Update System 2021-03-17 22:22:34 UTC 
FEDORA-2021-81c8581192 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-81c8581192
Comment 2 Fedora Update System 2021-03-17 22:22:36 UTC 
FEDORA-EPEL-2021-5392fab667 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-5392fab667
Comment 3 Fedora Update System 2021-03-17 22:22:37 UTC 
FEDORA-2021-b09f187229 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-b09f187229
Comment 4 Fedora Update System 2021-03-18 03:29:20 UTC 
FEDORA-2021-fa267d8125 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-fa267d8125`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-fa267d8125

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2021-03-18 03:42:52 UTC 
FEDORA-2021-81c8581192 has been pushed to the Fedora 32 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-81c8581192`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-81c8581192

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2021-03-18 04:48:15 UTC 
FEDORA-EPEL-2021-5392fab667 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-5392fab667

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2021-03-18 21:47:23 UTC 
FEDORA-2021-b09f187229 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-b09f187229`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-b09f187229

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2021-03-21 00:21:28 UTC 
FEDORA-2021-b09f187229 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2021-03-26 00:54:49 UTC 
FEDORA-2021-81c8581192 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Fedora Update System 2021-03-26 17:52:57 UTC 
FEDORA-2021-fa267d8125 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 11 Fedora Update System 2021-04-02 01:55:55 UTC 
FEDORA-EPEL-2021-5392fab667 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.