openssh bugs - Aug 2023 - [Bug 3599] New: How to scan for keys when sshd server has fips enabled?

https://bugzilla.mindrot.org/show_bug.cgi?id=3599

            Bug ID: 3599
           Summary: How to scan for keys when sshd server has fips
                    enabled?
           Product: Portable OpenSSH
           Version: 9.3p2
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: ssh-keyscan
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sshedi at vmware.com

Created attachment 3712
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3712&action=edit
Server's sshd config

Hi,

I have an sshd server which is fips enabled and client is non fips.

How to get the server public keys using ssh-keyscan in this case?

I tried running keyscan in the server itself and even that is failing.

```
root at ph5dev:~ # ssh-keyscan localhost
# localhost:22 SSH-2.0-OpenSSH_9.3
# localhost:22 SSH-2.0-OpenSSH_9.3
# localhost:22 SSH-2.0-OpenSSH_9.3
# localhost:22 SSH-2.0-OpenSSH_9.3
# localhost:22 SSH-2.0-OpenSSH_9.3
```

This also returns nothing.

The work around for this issue is, adding below line (or some other
fips complaint cipher) to /etc/ssh/sshd_config

```
Ciphers aes128-ctr
```

AFAIK, nothing can be done from client side to make it work. Please let
me know if there is anyway to get it working.

Proposed solutions:

- ssh-keyscan should use configs from /etc/ssh/ssh_config or
$HOME/.ssh/config like ssh does

- ssh-keyscan should accept "-c <cipher>" arg to do negotiation
with
server.

- A conf file of its own for ssh-keyscan.

Ultimately, ssh-keyscan should work without any modifications in server
and little or no change at client side.

PFA for my server config.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3599

Shreenidhi Shedi <sshedi at vmware.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org,
                   |                            |dtucker at dtucker.net

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3599

--- Comment #1 from Shreenidhi Shedi <sshedi at vmware.com> ---
Created attachment 3713
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3713&action=edit
attempt to fix.

Tried fixing the issue. PTAL.

I'm unaware of the development process in this project, so raised a
github PR as well.

https://github.com/openssh/openssh-portable/pull/424

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3599

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3713|application/octet-stream    |text/plain
          mime type|                            |
   Attachment #3713|0                           |1
           is patch|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3599

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3713|0                           |1
        is obsolete|                            |
   Attachment #3716|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 3716
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3716&action=edit
Options for MACs and KexAlgorithms too, document

Thanks, I think you patch makes sense.

This tweaks it a little, but also adds support for overriding some
other things that might cause problems in restricted configurations
(MACs and key-exchange algorithms), and documents them all in the
ssh-keygen.8 manpage.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3599

--- Comment #3 from Shreenidhi Shedi <sshedi at vmware.com> ---
Awesome, yes. These additional changes makes this fix complete for now.
Thanks a lot.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3599

--- Comment #4 from Shreenidhi Shedi <sshedi at vmware.com> ---
One query, take this for example.

```
macs = xstrdup(optarg + 5);
```
When will macs get freed?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3599

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
It won't until the program exits. It will be around for the life of the
process because it's needed for the life of the process

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3599

--- Comment #6 from Shreenidhi Shedi <sshedi at vmware.com> ---
Okay, that looks fine. I was expecting these new pointers to get freed
programmatically, if we are delegating that job to system, that's fine
too. Thanks for the response.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3599

--- Comment #7 from Shreenidhi Shedi <sshedi at vmware.com> ---
Hi Damien Miller,

Any inputs on when this will get merged? I mean when will this be a
part of github repo? Thanks.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3599

--- Comment #8 from Shreenidhi Shedi <sshedi at vmware.com> ---
Hi Damien Miller,

Is there anything pending from my end? Please let me know.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3599

--- Comment #9 from Shreenidhi Shedi <sshedi at vmware.com> ---
There is a problem in the patch.

PTAL.
```
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 1fd5867..bb59b55 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -789,11 +789,11 @@ main(int argc, char **argv)
                                        fatal("Unsupported hash
algorithm");
                        } else if (strncasecmp(optarg, "ciphers=", 8)
== 0) {
                                ciphers = xstrdup(optarg + 8);
-                               if (!mac_valid(ciphers))
+                               if (!ciphers_valid(ciphers))
                                        fatal("Unsupported ciphers");
                        } else if (strncasecmp(optarg, "macs=", 5) =0)
{
                                macs = xstrdup(optarg + 5);
-                               if (!ciphers_valid(macs))
+                               if (!mac_valid(macs))
                                        fatal("Unsupported MACs");
                        } else if (strncasecmp(optarg,
                            "kexalgorithms=", 14) == 0) {
```

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.