guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject RE: Connection failures
Date Wed, 24 Jan 2018 18:03:37 GMT
We had a fully patched RHEL 7.4 server, and ran the following commands on it (based on the
article found here, which requires a Red Hat account to look at:

yum install dracut-fips
grep -qw aes /proc/cpuinfo && echo YES || echo no
# If the above grep returns YES: yum install dracut-fips-aesni
rpm -q prelink
mv -v /boot/initramfs-$(uname -r).img{,.bak}
grubby --update-kernel=$(grubby --default-kernel) --args=fips=1
uuid=$(findmnt -no uuid /boot)
echo $uuid
[[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel) --args=boot=UUID=${uuid}
sysctl crypto.fips_enabled
sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ fips=1"/' /etc/default/grub
uuid=$(findmnt -no uuid /boot)
echo $uuid
[[ -n $uuid ]] && sed -i "/^GRUB_CMDLINE_LINUX=/s/\"$/ boot=UUID=${uuid}\"/" /etc/default/grub


From: Nick Couchman []
Sent: Wednesday, January 24, 2018 11:54 AM
Subject: Re: Connection failures

On Wed, Jan 24, 2018 at 10:55 AM, <<>>
As a test, I made a new Guacamole connection to a server that we did NOT make FIPS 140-2 compliant
yet, and was able to get right in.  So the FIPS 140-2 is definitely the issue.  So I need
to know if there’s something in guacamole 0.9.13 that I need to tweak, or libssh2.  I’m
not sure if I can update libssh2 to a newer version, as 1.4.3 is the latest available in the
RHEL 7.4 patch trail.

Can you remind/post the changes made to make the SSH server FIPS 140-2 compliant?  You may
have already posted it, so apologies if that's a repeat, but I can try to reproduce and see
what happens.

I do not believe there is anything in Guacamole specifically that deals with this, it should
all be in libssh2, but we can take a look.

View raw message