From 7f69d1e69a0c7e4da012b9dcf3f5c4cba3726b8b Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 9 Nov 2021 15:17:08 +0100 Subject: [PATCH] Filter out Ed25519 keys from default in FIPS mode Signed-off-by: Jakub Jelen --- defaults/main.yml | 3 ++- meta/10_top.j2 | 6 +++++- tasks/install.yml | 26 +++++++++++++++++++++++++- vars/RedHat_7.yml | 2 ++ vars/RedHat_8.yml | 2 ++ 5 files changed, 36 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index fb9ae38..5dbf248 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -74,7 +74,8 @@ __sshd_defaults: {} __sshd_os_supported: no __sshd_sysconfig_supports_crypto_policy: false __sshd_sysconfig_supports_use_strong_rng: false - +# The hostkeys not supported in FIPS mode, if applicable +__sshd_hostkeys_nofips: [] __sshd_runtime_directory: false __sshd_runtime_directory_mode: "0755" diff --git a/meta/10_top.j2 b/meta/10_top.j2 index 0c656e0..4c59aa3 100644 --- a/meta/10_top.j2 +++ b/meta/10_top.j2 @@ -21,7 +21,11 @@ {% elif sshd[key] is defined %} {% set value = sshd[key] %} {% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %} -{% set value = __sshd_defaults[key] %} +{% if key == 'HostKey' and __sshd_fips_mode %} +{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %} +{% else %} +{% set value = __sshd_defaults[key] %} +{% endif %} {% endif %} {{ render_option(key,value) -}} {% endmacro %} diff --git a/tasks/install.yml b/tasks/install.yml index b03873b..b7c371d 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -22,8 +22,28 @@ - __sshd_sysconfig_supports_use_strong_rng or __sshd_sysconfig_supports_crypto_policy notify: reload_sshd +- name: Check the kernel FIPS mode + slurp: + src: /proc/sys/crypto/fips_enabled + register: __sshd_kernel_fips_mode + failed_when: false + when: + - __sshd_hostkeys_nofips != [] + +- name: Check the userspace FIPS mode + slurp: + src: /etc/system-fips + register: __sshd_userspace_fips_mode + failed_when: false + when: + - __sshd_hostkeys_nofips != [] + - name: Make sure hostkeys are available and have expected permissions vars: &share_vars + __sshd_fips_mode: >- + __sshd_hostkeys_nofips != [] and \ + (__sshd_kernel_fips_mode.content | b64decode == "1" | bool or \ + __sshd_kernel_fips_mode.content | b64decode != "0" | bool) # This mimics the macro body_option() in sshd_config.j2 # The explicit to_json filter is needed for Python 2 compatibility __sshd_hostkeys_from_config: >- @@ -32,7 +52,11 @@ {% elif sshd['HostKey'] is defined %} {{ sshd['HostKey'] | to_json }} {% elif __sshd_defaults['HostKey'] is defined and not sshd_skip_defaults %} - {{ __sshd_defaults['HostKey'] | to_json }} + {% if __sshd_fips_mode %} + {{ __sshd_defaults['HostKey'] | difference(__sshd_hostkeys_nofips) | to_json }} + {% else %} + {{ __sshd_defaults['HostKey'] | to_json }} + {% endif %} {% else %} [] {% endif %} diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml index dd21524..4601f7b 100644 --- a/vars/RedHat_7.yml +++ b/vars/RedHat_7.yml @@ -29,3 +29,5 @@ __sshd_os_supported: yes __sshd_sysconfig_supports_use_strong_rng: true __sshd_hostkey_group: ssh_keys __sshd_hostkey_mode: "0640" +__sshd_hostkeys_nofips: + - /etc/ssh/ssh_host_ed25519_key diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml index 51236af..9bb1646 100644 --- a/vars/RedHat_8.yml +++ b/vars/RedHat_8.yml @@ -31,3 +31,5 @@ __sshd_sysconfig_supports_use_strong_rng: true __sshd_sysconfig_supports_crypto_policy: true __sshd_hostkey_group: ssh_keys __sshd_hostkey_mode: "0640" +__sshd_hostkeys_nofips: + - /etc/ssh/ssh_host_ed25519_key