• caglararli@hotmail.com
  • 05386281520

RHEL in FIPS mode ignores crypto subpolicy

Çağlar Arlı      -    11 Views
26Eyl

RHEL in FIPS mode ignores crypto subpolicy

I have a number of RHEL 8 and RHEL 9 systems with FIPS mode enabled. I'm trying to use a crypto subpolicy to disable CBC ciphers, but the subpolicy seems to be ignored in FIPS mode even though it is applied correctly.

The same subpolicy works on non-FIPS systems. RedHat also supports subpolicies in FIPS mode, and applying mine does not produce any error messages.

My /etc/crypto-policies/policies/modules/NO-CBC.pmod :

cipher@ssh = -*-CBC

Installation reports no problem with the subpolicy even after restart.

# fips-mode-setup --check
FIPS mode is enabled.
# update-crypto-policies --show
FIPS
# update-crypto-policies --set FIPS:NO-CBC
Setting system policy to FIPS:NO-CBC
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
# update-crypto-policies --show
FIPS:NO-CBC

Yet sshd still uses the cbc ciphers:

# sshd -T -C lport=22 | grep -i ciphers
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-gcm@openssh.com,aes256-gcm@openssh.com

With FIPS mode disabled (and of course using the DEFAULT crypto policy)

# update-crypto-policies --show
DEFAULT
# update-crypto-policies --set DEFAULT:NO-CBC
Setting system policy to DEFAULT:NO-CBC
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
# update-crypto-policies --show
DEFAULT:NO-CBC

And SSHD shows that the CBC ciphers are removed:

# sshd -T -C lport=22 | grep -i ciphers
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

I also checked /etc/crypto-policies/state/CURRENT.pol. It did not contain the CBC ciphers for openssh:

# Policy FIPS:NO-CBC dump
#
# Do not parse the contents of this file with automated tools,
# it is provided for review convenience only.
#
# Baseline values for all scopes:
cipher = AES-256-GCM AES-256-CCM AES-256-CTR AES-128-GCM AES-128-CCM AES-128-CTR
group = SECP256R1 SECP521R1 SECP384R1 FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
hash = SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256
key_exchange = ECDHE DHE DHE-RSA PSK DHE-PSK ECDHE-PSK
mac = AEAD HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512
protocol =
sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA3-384 ECDSA-SHA2-384 ECDSA-SHA3-512 ECDSA-SHA2-512 RSA-PSS-SHA3-256 RSA-PSS-SHA2-256 RSA-PSS-SHA3-384 RSA-PSS-SHA2-384 RSA-PSS-SHA3-512 RSA-PSS-SHA2-512 RSA-PSS-RSAE-SHA3-256 RSA-PSS-RSAE-SHA2-256 RSA-PSS-RSAE-SHA3-384 RSA-PSS-RSAE-SHA2-384 RSA-PSS-RSAE-SHA3-512 RSA-PSS-RSAE-SHA2-512 RSA-SHA3-256 RSA-SHA2-256 RSA-SHA3-384 RSA-SHA2-384 RSA-SHA3-512 RSA-SHA2-512 ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224
arbitrary_dh_groups = 1
min_dh_size = 2048
min_dsa_size = 2048
min_rsa_size = 2048
sha1_in_certs = 0
ssh_certs = 1
etm = ANY
__ems = ENFORCE
# Scope-specific properties derived for select backends:
cipher@gnutls = AES-256-GCM AES-256-CCM AES-128-GCM AES-128-CCM
protocol@gnutls = TLS1.3 TLS1.2 DTLS1.2
cipher@java-tls = AES-256-GCM AES-256-CCM AES-128-GCM AES-128-CCM
protocol@java-tls = TLS1.3 TLS1.2 DTLS1.2
cipher@krb5 = AES-256-CBC AES-128-CBC
mac@krb5 = HMAC-SHA2-384 HMAC-SHA2-256 AEAD HMAC-SHA2-512
protocol@libreswan = IKEv2
cipher@nss = AES-256-GCM AES-256-CCM AES-128-GCM AES-128-CCM
protocol@nss = TLS1.3 TLS1.2 DTLS1.2
cipher@openssl = AES-256-GCM AES-256-CCM AES-128-GCM AES-128-CCM
protocol@openssl = TLS1.3 TLS1.2 DTLS1.2

In RHEL 9, /etc/crypto-policies/back-ends/openssh.config also seems correct:

Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
GSSAPIKeyExchange no
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
RequiredRSASize 2048

All this leads me to believe that the FIPS version of sshd may ignore the backends file.

Eylül 2024
P S Ç P C C P
 1
2345678
9101112131415
16171819202122
23242526272829
30  

Son Yazılar

Son Yorumlar