|
|
a1c947 |
From c6ea67c481a2f447951449bd9b2746cfaaf385fd Mon Sep 17 00:00:00 2001
|
|
|
a1c947 |
Message-Id: <c6ea67c481a2f447951449bd9b2746cfaaf385fd@dist-git>
|
|
|
a1c947 |
From: "Richard W.M. Jones" <rjones@redhat.com>
|
|
|
a1c947 |
Date: Mon, 25 Jul 2022 14:09:39 +0100
|
|
|
a1c947 |
Subject: [PATCH] rpc: Pass OPENSSL_CONF through to ssh invocations
|
|
|
a1c947 |
|
|
|
a1c947 |
It's no longer possible for libvirt to connect over the ssh transport
|
|
|
a1c947 |
from RHEL 9 to RHEL 5. This is because SHA1 signatures have been
|
|
|
a1c947 |
effectively banned in RHEL 9 at the openssl level. They are required
|
|
|
a1c947 |
to check the RHEL 5 host key. Note this is a separate issue from
|
|
|
a1c947 |
openssh requiring additional configuration in order to connect to
|
|
|
a1c947 |
older servers.
|
|
|
a1c947 |
|
|
|
a1c947 |
Connecting from a RHEL 9 client to RHEL 5 server:
|
|
|
a1c947 |
|
|
|
a1c947 |
$ cat ~/.ssh/config
|
|
|
a1c947 |
Host 192.168.0.91
|
|
|
a1c947 |
KexAlgorithms +diffie-hellman-group14-sha1
|
|
|
a1c947 |
MACs +hmac-sha1
|
|
|
a1c947 |
HostKeyAlgorithms +ssh-rsa
|
|
|
a1c947 |
PubkeyAcceptedKeyTypes +ssh-rsa
|
|
|
a1c947 |
PubkeyAcceptedAlgorithms +ssh-rsa
|
|
|
a1c947 |
|
|
|
a1c947 |
$ virsh -c 'qemu+ssh://root@192.168.0.91/system' list
|
|
|
a1c947 |
error: failed to connect to the hypervisor
|
|
|
a1c947 |
error: Cannot recv data: ssh_dispatch_run_fatal: Connection to 192.168.0.91 port 22: error in libcrypto: Connection reset by peer
|
|
|
a1c947 |
|
|
|
a1c947 |
"error in libcrypto: Connection reset by peer" is the characteristic
|
|
|
a1c947 |
error of openssl having been modified to disable SHA1 by default.
|
|
|
a1c947 |
(You will not see this on non-RHEL-derived distros.)
|
|
|
a1c947 |
|
|
|
a1c947 |
You could enable the legacy crypto policy which downgrades security on
|
|
|
a1c947 |
the entire host, but a more fine-grained way to do this is to create
|
|
|
a1c947 |
an alternate openssl configuration file that enables the "forbidden"
|
|
|
a1c947 |
signatures. However this requires passing the OPENSSL_CONF
|
|
|
a1c947 |
environment variable through to ssh to specify the alternate
|
|
|
a1c947 |
configuration. Libvirt filters out this environment variable, but
|
|
|
a1c947 |
this commit allows it through. With this commit:
|
|
|
a1c947 |
|
|
|
a1c947 |
$ cat /var/tmp/openssl.cnf
|
|
|
a1c947 |
.include /etc/ssl/openssl.cnf
|
|
|
a1c947 |
[openssl_init]
|
|
|
a1c947 |
alg_section = evp_properties
|
|
|
a1c947 |
[evp_properties]
|
|
|
a1c947 |
rh-allow-sha1-signatures = yes
|
|
|
a1c947 |
|
|
|
a1c947 |
$ OPENSSL_CONF=/var/tmp/openssl.cnf ./run virsh -c 'qemu+ssh://root@192.168.0.91/system' list
|
|
|
a1c947 |
root@192.168.0.91's password:
|
|
|
a1c947 |
Id Name State
|
|
|
a1c947 |
--------------------
|
|
|
a1c947 |
|
|
|
a1c947 |
Essentially my argument here is that OPENSSL_CONF is sufficiently
|
|
|
a1c947 |
similar in nature to KRB5CCNAME, SSH* and XAUTHORITY that we should
|
|
|
a1c947 |
permit it to be passed through.
|
|
|
a1c947 |
|
|
|
a1c947 |
virt-v2v bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062360
|
|
|
a1c947 |
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
|
|
|
a1c947 |
Acked-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
a1c947 |
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
a1c947 |
|
|
|
a1c947 |
(cherry picked from commit 45912ac399abd9d4eba21fa3f15cb7587351f959)
|
|
|
a1c947 |
Libvirt BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2112348
|
|
|
a1c947 |
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
a1c947 |
---
|
|
|
a1c947 |
src/rpc/virnetsocket.c | 1 +
|
|
|
a1c947 |
1 file changed, 1 insertion(+)
|
|
|
a1c947 |
|
|
|
a1c947 |
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
|
|
|
a1c947 |
index 32f506d2d4..8280bda007 100644
|
|
|
a1c947 |
--- a/src/rpc/virnetsocket.c
|
|
|
a1c947 |
+++ b/src/rpc/virnetsocket.c
|
|
|
a1c947 |
@@ -855,6 +855,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
|
|
|
a1c947 |
virCommandAddEnvPass(cmd, "KRB5CCNAME");
|
|
|
a1c947 |
virCommandAddEnvPass(cmd, "SSH_AUTH_SOCK");
|
|
|
a1c947 |
virCommandAddEnvPass(cmd, "SSH_ASKPASS");
|
|
|
a1c947 |
+ virCommandAddEnvPass(cmd, "OPENSSL_CONF");
|
|
|
a1c947 |
virCommandAddEnvPass(cmd, "DISPLAY");
|
|
|
a1c947 |
virCommandAddEnvPass(cmd, "XAUTHORITY");
|
|
|
a1c947 |
virCommandClearCaps(cmd);
|
|
|
a1c947 |
--
|
|
|
a1c947 |
2.35.1
|
|
|
a1c947 |
|