guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <harry.dev...@faa.gov>
Subject RE: Connection failures
Date Wed, 24 Jan 2018 18:03:37 GMT
We had a fully patched RHEL 7.4 server, and ran the following commands on it (based on the
article found here, which requires a Red Hat account to look at: https://access.redhat.com/solutions/137833
):

yum install dracut-fips
grep -qw aes /proc/cpuinfo && echo YES || echo no
# If the above grep returns YES: yum install dracut-fips-aesni
rpm -q prelink
mv -v /boot/initramfs-$(uname -r).img{,.bak}
dracut
grubby --update-kernel=$(grubby --default-kernel) --args=fips=1
uuid=$(findmnt -no uuid /boot)
echo $uuid
[[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel) --args=boot=UUID=${uuid}
reboot
sysctl crypto.fips_enabled
sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ fips=1"/' /etc/default/grub
uuid=$(findmnt -no uuid /boot)
echo $uuid
[[ -n $uuid ]] && sed -i "/^GRUB_CMDLINE_LINUX=/s/\"$/ boot=UUID=${uuid}\"/" /etc/default/grub
reboot

Thanks,
Harry

From: Nick Couchman [mailto:vnick@apache.org]
Sent: Wednesday, January 24, 2018 11:54 AM
To: user@guacamole.apache.org
Subject: Re: Connection failures

On Wed, Jan 24, 2018 at 10:55 AM, <harry.devine@faa.gov<mailto:harry.devine@faa.gov>>
wrote:
As a test, I made a new Guacamole connection to a server that we did NOT make FIPS 140-2 compliant
yet, and was able to get right in.  So the FIPS 140-2 is definitely the issue.  So I need
to know if there’s something in guacamole 0.9.13 that I need to tweak, or libssh2.  I’m
not sure if I can update libssh2 to a newer version, as 1.4.3 is the latest available in the
RHEL 7.4 patch trail.

Can you remind/post the changes made to make the SSH server FIPS 140-2 compliant?  You may
have already posted it, so apologies if that's a repeat, but I can try to reproduce and see
what happens.

I do not believe there is anything in Guacamole specifically that deals with this, it should
all be in libssh2, but we can take a look.

-Nick
Mime
View raw message