Filter out Ed25519 keys from default in FIPS mode

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
Jakub Jelen 2021-11-09 15:17:08 +01:00 committed by Jakub Jelen
parent 71eab116bd
commit 7f69d1e69a
5 changed files with 36 additions and 3 deletions

View file

@ -74,7 +74,8 @@ __sshd_defaults: {}
__sshd_os_supported: no
__sshd_sysconfig_supports_crypto_policy: false
__sshd_sysconfig_supports_use_strong_rng: false
# The hostkeys not supported in FIPS mode, if applicable
__sshd_hostkeys_nofips: []
__sshd_runtime_directory: false
__sshd_runtime_directory_mode: "0755"

View file

@ -21,8 +21,12 @@
{% elif sshd[key] is defined %}
{% set value = sshd[key] %}
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
{% if key == 'HostKey' and __sshd_fips_mode %}
{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
{% else %}
{% set value = __sshd_defaults[key] %}
{% endif %}
{% endif %}
{{ render_option(key,value) -}}
{% endmacro %}
{% macro match_block(match_list) %}

View file

@ -22,8 +22,28 @@
- __sshd_sysconfig_supports_use_strong_rng or __sshd_sysconfig_supports_crypto_policy
notify: reload_sshd
- name: Check the kernel FIPS mode
slurp:
src: /proc/sys/crypto/fips_enabled
register: __sshd_kernel_fips_mode
failed_when: false
when:
- __sshd_hostkeys_nofips != []
- name: Check the userspace FIPS mode
slurp:
src: /etc/system-fips
register: __sshd_userspace_fips_mode
failed_when: false
when:
- __sshd_hostkeys_nofips != []
- name: Make sure hostkeys are available and have expected permissions
vars: &share_vars
__sshd_fips_mode: >-
__sshd_hostkeys_nofips != [] and \
(__sshd_kernel_fips_mode.content | b64decode == "1" | bool or \
__sshd_kernel_fips_mode.content | b64decode != "0" | bool)
# This mimics the macro body_option() in sshd_config.j2
# The explicit to_json filter is needed for Python 2 compatibility
__sshd_hostkeys_from_config: >-
@ -32,7 +52,11 @@
{% elif sshd['HostKey'] is defined %}
{{ sshd['HostKey'] | to_json }}
{% elif __sshd_defaults['HostKey'] is defined and not sshd_skip_defaults %}
{% if __sshd_fips_mode %}
{{ __sshd_defaults['HostKey'] | difference(__sshd_hostkeys_nofips) | to_json }}
{% else %}
{{ __sshd_defaults['HostKey'] | to_json }}
{% endif %}
{% else %}
[]
{% endif %}

View file

@ -29,3 +29,5 @@ __sshd_os_supported: yes
__sshd_sysconfig_supports_use_strong_rng: true
__sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640"
__sshd_hostkeys_nofips:
- /etc/ssh/ssh_host_ed25519_key

View file

@ -31,3 +31,5 @@ __sshd_sysconfig_supports_use_strong_rng: true
__sshd_sysconfig_supports_crypto_policy: true
__sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640"
__sshd_hostkeys_nofips:
- /etc/ssh/ssh_host_ed25519_key