guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject RE: Connection failures
Date Wed, 24 Jan 2018 19:49:39 GMT
Did some more debugging.  When we try to connect to a server that is FIPS 140-2 compliant,
here’s what the algorithms that are expected are:

When I try to connect via a Guacamole SSH session, here are the algorithms being sent:
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms:,,,,,,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,
debug2: MACs ctos: hmac-sha1,hmac-sha2-256,hmac-sha2-512,,,
debug2: MACs stoc: hmac-sha1,hmac-sha2-256,hmac-sha2-512,,,

Jan 24 14:42:38 carts sshd[6890]: FIPS mode initialized
Jan 24 14:42:38 carts sshd[6890]: Unable to negotiate with port 57948: no matching
key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Looks like, to me, that Guacamole isn’t sending the proper algorithms or ciphers in its
SSH request.  Not sure if the issue is in Guacamole itself or in libssh2, which is 1.4.3 at
the moment.


From: Devine, Harry (FAA)
Sent: Wednesday, January 24, 2018 1:04 PM
Subject: RE: Connection failures

We had a fully patched RHEL 7.4 server, and ran the following commands on it (based on the
article found here, which requires a Red Hat account to look at:

yum install dracut-fips
grep -qw aes /proc/cpuinfo && echo YES || echo no
# If the above grep returns YES: yum install dracut-fips-aesni
rpm -q prelink
mv -v /boot/initramfs-$(uname -r).img{,.bak}
grubby --update-kernel=$(grubby --default-kernel) --args=fips=1
uuid=$(findmnt -no uuid /boot)
echo $uuid
[[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel) --args=boot=UUID=${uuid}
sysctl crypto.fips_enabled
sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ fips=1"/' /etc/default/grub
uuid=$(findmnt -no uuid /boot)
echo $uuid
[[ -n $uuid ]] && sed -i "/^GRUB_CMDLINE_LINUX=/s/\"$/ boot=UUID=${uuid}\"/" /etc/default/grub


From: Nick Couchman []
Sent: Wednesday, January 24, 2018 11:54 AM
Subject: Re: Connection failures

On Wed, Jan 24, 2018 at 10:55 AM, <<>>
As a test, I made a new Guacamole connection to a server that we did NOT make FIPS 140-2 compliant
yet, and was able to get right in.  So the FIPS 140-2 is definitely the issue.  So I need
to know if there’s something in guacamole 0.9.13 that I need to tweak, or libssh2.  I’m
not sure if I can update libssh2 to a newer version, as 1.4.3 is the latest available in the
RHEL 7.4 patch trail.

Can you remind/post the changes made to make the SSH server FIPS 140-2 compliant?  You may
have already posted it, so apologies if that's a repeat, but I can try to reproduce and see
what happens.

I do not believe there is anything in Guacamole specifically that deals with this, it should
all be in libssh2, but we can take a look.

View raw message