Arshad Khan
2018-Nov-09 06:53 UTC
Getting "key_demote: error in libcrypto" error when using OpenSSH 7.6p1 with OpenSSL in FIPS mode
Hello All
I posted this query on comp.security.ssh but haven't got any response
to it so far. I'd appreciate if I can get any help to resolve this
issue.
I have a CentOS 6 system that is running OpenSSH version 7.6p1 built
with OpenSSL 1.0.2o. The OpenSSL is built with FIPS module 2.0.16. I
have a python based pluggable authenticataion module configured using
pam_python 1.0.6 and Python 2.7.10.
When I use a ssh client to login to this system, the connection is
immediately closed by the system. This happens whether I login using
password or key.
Checking the /var/log/secure I see following error:
sshd[11255]: fatal: key_demote: error in libcrypto
Checking OpenSSH code I think this is happening when the server is
demoting private keys to public keys. The problem I have tracked down
is because of an import in the PAM python module which eventually
imports the python's _ssl module. A dummy PAM python module with just
this import reproduces the issue.
Here is the dummy PAM python module that I am using to repro the issue:
-----
#!/opt/bin/python
import _ssl
def pam_sm_authenticate(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_setcred(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_open_session(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_close_session(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_acct_mgmt(pamh, flags, argv):
return pamh.PAM_SUCCESS
-----
Any help is very much appreciated in resolving or understanding this
issue. If there is any other information that may be helpful in
understanding this issue, please let me know.
Thanks
Arshad