Filter out Ed25519 keys from default in FIPS mode

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2024-11-10 05:33:29 +01:00 · 2021-11-09 15:17:08 +01:00 · 2021-11-09 15:17:08 +01:00 · 7f69d1e69a
commit 7f69d1e69a
parent 71eab116bd
5 changed files with 36 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -74,7 +74,8 @@ __sshd_defaults: {}
 __sshd_os_supported: no
 __sshd_sysconfig_supports_crypto_policy: false
 __sshd_sysconfig_supports_use_strong_rng: false
-
+# The hostkeys not supported in FIPS mode, if applicable
 __sshd_hostkeys_nofips: []
 __sshd_runtime_directory: false
 __sshd_runtime_directory_mode: "0755"
--- a/meta/10_top.j2
+++ b/meta/10_top.j2
@ -21,7 +21,11 @@
 {%   elif sshd[key] is defined %}
 {%     set value = sshd[key] %}
 {%   elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
-{%     set value = __sshd_defaults[key] %}
+{%     if key == 'HostKey' and __sshd_fips_mode %}
 {%       set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
 {%     else %}
 {%       set value = __sshd_defaults[key] %}
 {%     endif %}
 {%   endif %}
 {{ render_option(key,value) -}}
 {% endmacro %}
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -22,8 +22,28 @@
    - __sshd_sysconfig_supports_use_strong_rng or __sshd_sysconfig_supports_crypto_policy
  notify: reload_sshd
 - name: Check the kernel FIPS mode
  slurp:
    src: /proc/sys/crypto/fips_enabled
  register: __sshd_kernel_fips_mode
  failed_when: false
  when:
    - __sshd_hostkeys_nofips != []
 - name: Check the userspace FIPS mode
  slurp:
    src: /etc/system-fips
  register: __sshd_userspace_fips_mode
  failed_when: false
  when:
    - __sshd_hostkeys_nofips != []
 - name: Make sure hostkeys are available and have expected permissions
  vars: &share_vars
    __sshd_fips_mode: >-
      __sshd_hostkeys_nofips != [] and \
      (__sshd_kernel_fips_mode.content | b64decode == "1" | bool or \
       __sshd_kernel_fips_mode.content | b64decode != "0" | bool)
    # This mimics the macro body_option() in sshd_config.j2
    # The explicit to_json filter is needed for Python 2 compatibility
    __sshd_hostkeys_from_config: >-
@ -32,7 +52,11 @@
      {% elif sshd['HostKey'] is defined %}
        {{ sshd['HostKey'] | to_json }}
      {% elif __sshd_defaults['HostKey'] is defined and not sshd_skip_defaults %}
-        {{ __sshd_defaults['HostKey'] | to_json }}
+        {% if __sshd_fips_mode %}
          {{ __sshd_defaults['HostKey'] | difference(__sshd_hostkeys_nofips) | to_json }}
        {% else %}
          {{ __sshd_defaults['HostKey'] | to_json }}
        {% endif %}
      {% else %}
        []
      {% endif %}
--- a/vars/RedHat_7.yml
+++ b/vars/RedHat_7.yml
@ -29,3 +29,5 @@ __sshd_os_supported: yes
 __sshd_sysconfig_supports_use_strong_rng: true
 __sshd_hostkey_group: ssh_keys
 __sshd_hostkey_mode: "0640"
 __sshd_hostkeys_nofips:
  - /etc/ssh/ssh_host_ed25519_key
--- a/vars/RedHat_8.yml
+++ b/vars/RedHat_8.yml
@ -31,3 +31,5 @@ __sshd_sysconfig_supports_use_strong_rng: true
 __sshd_sysconfig_supports_crypto_policy: true
 __sshd_hostkey_group: ssh_keys
 __sshd_hostkey_mode: "0640"
 __sshd_hostkeys_nofips:
  - /etc/ssh/ssh_host_ed25519_key