-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh handshake failure after changing system-wide crypto policy to FIPS #8609
Comments
I have the same issue with a normal RHEL8.1 machine with FIPS enabled. I've downloaded packer 1.5.4 from the website and we are running packer locally, not AWS. |
The best I can tell, this issue is because Packer appears to be using golang's ssh which is signing with SHA-1 during the ssh handshake (i.e. using signature type ssh-rsa instead of rsa-sha2-256 or rsa-sha2-512). Such signatures are prohibited when system-wide crypto policy is set to FIPS on a RHEL 8 or CentOS 8 system, thus the connect error. Furthermore, it appears that OpenSSH 8.2 (released 13 Feb 2020) is completely removing support for signature type ssh-rsa, so this is going to become another area of incompatibility... that is, packer will not be able to connect to any OpenSSH 8.2 based system. see https://lwn.net/Articles/812537/ for more OpenSSH 8.2 info. Golang ssh appears to recently have recently started looking into this, as seen here: Note that rsa keys are still allowed by both OpenSSH 8.2 and RHEL with systemwide crypto policy of FIPS. It's the hash function that is the problem. This was explained in the OpenSSH 8.2 forums: "authenticating yourself using an RSA key involves signing a message with that key to prove that you own it. RSA signatures normally work by first hashing the plaintext message with some hash function and then applying the RSA algorithm to the result. The hash function can be basically anything reasonable, but it needs to be agreed by both parties. From this you can see that there doesn't need to be any particular link between hash function and key size." For now, since Packer will currently only sign with hash SHA-1, packer will remain unable to connect to systems with either >= OpenSSH 8.2 and/or RHEL8/CentOS8 with system-wide crypto policy FIPS or FUTURE, as they prohibit this hash in their accepted signature types. This issue really needs some attention ASAP... |
This issue isn't isolated to aws builder. I experienced the same with vsphere-iso and virtualbox-iso when I attempted to build CentOS8 and RedHat8 images with FIPS enabled from kickstart.
While build is in progress, attempting an ssh connection from an CentOS7 and RedHat7 with FIPS disabled still works. Any version lower than those such as CentOS6 or RedHat6 fails to connect. As circumstantial as it seems, this scenario further points the culprit being the ssh communicator of packer. And as stated earlier, it is safe to say that packer will be unable to connect to any FIPS-enabled OS until the internal packer ssh communicator is fixed. |
I'm not sure this will help but, I had a similar issue after enabling the FIPS on RHEL 7. It turned out that I hope this helps a little. |
Hi Ghunsl - Great to hear you got this working on RHEL7. However, systemwide crypto policy was shipped in CentOS 8/RHEL 8, so I think we are hitting a different issue. Specifically, we are talking about packer not being able to connect to machines where the SSH setting for PubkeyAcceptedKeyTypes does not include "ssh-rsa". "ssh-rsa" is prohibited by FIPS because it uses SHA-1. |
Thanks for opening this folks, and sorry it took so long to give it attention. Just to make sure I fully understand the cases for reproduction -- are you all using your own private keys made with a non- "ssh-rsa" algorithm, or have those of you who've hit this issue been letting Packer generate the keys for you? |
We are using packer to generate RSA keys for us. Note that PubkeyAcceptedKeyTypes specifies both the key type and hash type to use for the public key verification algorithm. "ssh-rsa" uses rsa keys with the SHA-1 hash algorithm. The OS system we are connecting packer to has deprecated the use of ssh-rsa because it is now (or will soon be) insecure due to the SHA-1 hash. If packer supported a more modern ssh signature hash algorithm such as rsa-sha2-256 or rsa-sha2-512, the connection would work with the exact same RSA keys. But packer doesn't support any of the newer secure hash algorithms for this purpose... that's what we hope to get fixed... |
Update: I'm trying to adapt the suggested AlgorithmSigner wrapping method to something that'll work inside of Packer. In the meantime, I have a workaround that will unblock y'all, at the cost of some extra build/pipeline complexity. What you need to do is divide your build into two stages (two discrete Packer "builds"); in the first stage, you enable FIPS and then shut down the machine. BUT before you do, upload a new non-RSA key to your instance. e.g. Before your build create an ecdsa key:
Then add a file provisioner to upload that key: {
"type": "file",
"destination":"/home/{{user `ssh_username`}}/.ssh/authorized_keys",
"source": "/home/username/.ssh/example-key-ecdsa.pub"
}, Then call your provisioner that updates the crypto policy that disables sha1 as When that build completes, you'll get an output AMI, but it won't be your "final" ami. Now you can launch a new build using that output-AMI as your source_ami, and provide example:
I know it's a mess of a workaround, but hopefully either I'll be able to figure out a solution on the Packer end or the x/crypto library will merge their fix. |
I've got some good news and bad news. The bad news is that I can't fix this inside of Packer without re-implementing a huge portion of the golang crypto/ssh library, which I don't want to do. The good news is that I've opened a patch to try to fix this upstream: https://go-review.googlesource.com/c/crypto/+/240717 I'm not sure how long it will take to get merged. In the meantime, I'll talk with our security team about the implications of maintaining our own fork of the crypto library in order to un-block the Packer users who are affected by this. |
Hi everyone, a brief update on this: the HashiCorp security team is wary of Packer having to maintain a fork of a core crypto library, so for now we're going to watch and wait and see what happens with the PR. That said, I know some of you are blocked on this; if y'all want, I can create a developmental Packer build with the crypto patch applied so you don't have to go through the tedious workaround above. Just let me know if there's interest in that, and I'll work on it now-ish instead of when the golang crypto team gets around to reviewing my changelist. |
I still haven't seen movement on my linked patch, but I'll be sure to update this issue when I hear anything. |
@SwampDragons there may be a more elegant solution than maintaining your own crypto right now: https://hub.docker.com/r/goboring/golang |
Any updates on this? Just curious if there are any new workarounds. @SwampDragons |
Unfortunately I'm still waiting on a review over at golang/go#39885; I haven't spent much time trying to build another workaround into Packer because I haven't seen a whole lot of action on this ticket, but we may need to try to figure something else out if it's starting to affect more people. |
Thanks for the response! Woof. That is annoying :-) |
Gave my +1 over on related issue #10074, but I'll throw another vote here too. We're required to enable FIPS mode on our systems and since AWS still doesn't support ECDSA/Ed25519 keypairs with EC2, RSA with SHA2-256 or SHA2-512 is our only option. I've had to do some nasty kludges to keep our Packer builds working through our provisioning steps. |
I believe the golang crypto library has updated the client-side to support a compatible algorithm now. If packer updates to the current version of the library, perhaps this old ticket could be closed? |
According to this reply, someone already tested it: golang/go#39885 (comment) |
Thanks for all the help in communicating various workarounds. The latest Packer SDK has been patched with the Golang crypto/ssh fix . We will be rolling out the fixes to each individual plugin as the changes get merged. Once all plugins have been updated we I’ll work to get a release of Packer core out with the update crypto fix. For those using HCL pinning each plugin to the latest available release should be enough to get the fix in place. |
Hi folks a potential fix for this issue has been merged into Packer main. It is scheduled to be released next week but will be available in the next nightly release. The SSH communication is handled by the Packer Plugin SDK within each of the builders. So even though Packer has the latest SDK the plugin responsible for executing the builder will need to be updated as well in order for the fix to work. We are tracking individual plugin updates in #11761. To download the latest plugin you can run note: The latest nightly has the fix #11712 which should help folks using JSON or HCL without a required plugins block. |
Oh one more thing 😄 If you are still running into issues with the proposed fix please feel free to drop a comment on the thread and we will gladly reopen. Thanks again to everyone for providing workarounds and for your patience. |
(OpenSSH>=8.2 deprecates `ssh-rsa` pub key algorithm, see hashicorp/packer#10074 hashicorp/packer#8609)
(OpenSSH>=8.2 deprecates `ssh-rsa` pub key algorithm, see hashicorp/packer#10074 hashicorp/packer#8609)
(OpenSSH>=8.2 deprecates `ssh-rsa` pub key algorithm, see hashicorp/packer#10074 hashicorp/packer#8609), change docs accordingly
* set 'ssh_username' (required by SSH communicator) in acceptance test * * use packer-plugin-sdk to manage temporary ssh keys * support ecdsa, ed25519 temporary key algos via `temporary_key_pair_type` config * clean up unused properties * use Ubuntu 22.04 LTS base image in acceptance test (OpenSSH>=8.2 deprecates `ssh-rsa` pub key algorithm, see hashicorp/packer#10074 hashicorp/packer#8609), change docs accordingly
Overview of the Issue
After running an Ansible playbook that performs
update-crypto-policies --set FIPS
and reboots an RHEL8 AWS instance, packer cannot reconnect to the instance.Reproduction Steps
git clone https://gist.github.com/19d6e0abbea44001c5d1c4e409e29dd8.git
cd 19d6e0abbea44001c5d1c4e409e29dd8
ssh_keypair_name
andssh_private_key_file
inaws-ebs-ansible.json
for an existing AWS key pair. The issue will manifest if packer creates a temporary ssh keypair but if you use an existing pair, you can ssh to the directly instance even when packer cannot.packer build -var-file vars-rhel8.json aws-ebs-ansible.json
ec2-user@54.209.97.87
) using my existing private key.Packer version
Packer v1.5.1
Simplified Packer Buildfile
file-aws-ebs-ansible.json
Operating system and Environment details
Driving system is CentOS 7 (
3.10.0-957.27.2.el7.x86_64
)Log Fragments and crash.log files
debug.log
The text was updated successfully, but these errors were encountered: