Filter out Ed25519 keys from default in FIPS mode

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2024-09-19 23:11:32 +02:00 · 2021-11-09 15:17:08 +01:00 · 2021-11-09 15:17:08 +01:00 · 7f69d1e69a
commit 7f69d1e69a
parent 71eab116bd
5 changed files with 36 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -74,7 +74,8 @@ __sshd_defaults: {}
 __sshd_os_supported: no
 __sshd_sysconfig_supports_crypto_policy: false
 __sshd_sysconfig_supports_use_strong_rng: false
-
+# The hostkeys not supported in FIPS mode, if applicable
+__sshd_hostkeys_nofips: []

 __sshd_runtime_directory: false
 __sshd_runtime_directory_mode: "0755"
--- a/meta/10_top.j2
+++ b/meta/10_top.j2
@ -21,7 +21,11 @@
 {%   elif sshd[key] is defined %}
 {%     set value = sshd[key] %}
 {%   elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
-{%     set value = __sshd_defaults[key] %}
+{%     if key == 'HostKey' and __sshd_fips_mode %}
+{%       set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
+{%     else %}
+{%       set value = __sshd_defaults[key] %}
+{%     endif %}
 {%   endif %}
 {{ render_option(key,value) -}}
 {% endmacro %}
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -22,8 +22,28 @@
    - __sshd_sysconfig_supports_use_strong_rng or __sshd_sysconfig_supports_crypto_policy
  notify: reload_sshd

+- name: Check the kernel FIPS mode
+  slurp:
+    src: /proc/sys/crypto/fips_enabled
+  register: __sshd_kernel_fips_mode
+  failed_when: false
+  when:
+    - __sshd_hostkeys_nofips != []
+
+- name: Check the userspace FIPS mode
+  slurp:
+    src: /etc/system-fips
+  register: __sshd_userspace_fips_mode
+  failed_when: false
+  when:
+    - __sshd_hostkeys_nofips != []
+
 - name: Make sure hostkeys are available and have expected permissions
  vars: &share_vars
+    __sshd_fips_mode: >-
+      __sshd_hostkeys_nofips != [] and \
+      (__sshd_kernel_fips_mode.content | b64decode == "1" | bool or \
+       __sshd_kernel_fips_mode.content | b64decode != "0" | bool)
    # This mimics the macro body_option() in sshd_config.j2
    # The explicit to_json filter is needed for Python 2 compatibility
    __sshd_hostkeys_from_config: >-
@ -32,7 +52,11 @@
      {% elif sshd['HostKey'] is defined %}
        {{ sshd['HostKey'] | to_json }}
      {% elif __sshd_defaults['HostKey'] is defined and not sshd_skip_defaults %}
-        {{ __sshd_defaults['HostKey'] | to_json }}
+        {% if __sshd_fips_mode %}
+          {{ __sshd_defaults['HostKey'] | difference(__sshd_hostkeys_nofips) | to_json }}
+        {% else %}
+          {{ __sshd_defaults['HostKey'] | to_json }}
+        {% endif %}
      {% else %}
        []
      {% endif %}
--- a/vars/RedHat_7.yml
+++ b/vars/RedHat_7.yml
@ -29,3 +29,5 @@ __sshd_os_supported: yes
 __sshd_sysconfig_supports_use_strong_rng: true
 __sshd_hostkey_group: ssh_keys
 __sshd_hostkey_mode: "0640"
+__sshd_hostkeys_nofips:
+  - /etc/ssh/ssh_host_ed25519_key
--- a/vars/RedHat_8.yml
+++ b/vars/RedHat_8.yml
@ -31,3 +31,5 @@ __sshd_sysconfig_supports_use_strong_rng: true
 __sshd_sysconfig_supports_crypto_policy: true
 __sshd_hostkey_group: ssh_keys
 __sshd_hostkey_mode: "0640"
+__sshd_hostkeys_nofips:
+  - /etc/ssh/ssh_host_ed25519_key