guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <harry.dev...@faa.gov>
Subject RE: Connection failures
Date Wed, 24 Jan 2018 19:49:39 GMT
Did some more debugging.  When we try to connect to a server that is FIPS 140-2 compliant,
here’s what the algorithms that are expected are:

When I try to connect via a Guacamole SSH session, here are the algorithms being sent:
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: MACs ctos: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
debug2: MACs stoc: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com

Jan 24 14:42:38 carts sshd[6890]: FIPS mode initialized
Jan 24 14:42:38 carts sshd[6890]: Unable to negotiate with 172.26.170.72 port 57948: no matching
key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
[preauth]

Looks like, to me, that Guacamole isn’t sending the proper algorithms or ciphers in its
SSH request.  Not sure if the issue is in Guacamole itself or in libssh2, which is 1.4.3 at
the moment.

Thanks,
Harry

From: Devine, Harry (FAA)
Sent: Wednesday, January 24, 2018 1:04 PM
To: user@guacamole.apache.org
Subject: RE: Connection failures

We had a fully patched RHEL 7.4 server, and ran the following commands on it (based on the
article found here, which requires a Red Hat account to look at: https://access.redhat.com/solutions/137833
):

yum install dracut-fips
grep -qw aes /proc/cpuinfo && echo YES || echo no
# If the above grep returns YES: yum install dracut-fips-aesni
rpm -q prelink
mv -v /boot/initramfs-$(uname -r).img{,.bak}
dracut
grubby --update-kernel=$(grubby --default-kernel) --args=fips=1
uuid=$(findmnt -no uuid /boot)
echo $uuid
[[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel) --args=boot=UUID=${uuid}
reboot
sysctl crypto.fips_enabled
sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ fips=1"/' /etc/default/grub
uuid=$(findmnt -no uuid /boot)
echo $uuid
[[ -n $uuid ]] && sed -i "/^GRUB_CMDLINE_LINUX=/s/\"$/ boot=UUID=${uuid}\"/" /etc/default/grub
reboot

Thanks,
Harry

From: Nick Couchman [mailto:vnick@apache.org]
Sent: Wednesday, January 24, 2018 11:54 AM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Connection failures

On Wed, Jan 24, 2018 at 10:55 AM, <harry.devine@faa.gov<mailto:harry.devine@faa.gov>>
wrote:
As a test, I made a new Guacamole connection to a server that we did NOT make FIPS 140-2 compliant
yet, and was able to get right in.  So the FIPS 140-2 is definitely the issue.  So I need
to know if there’s something in guacamole 0.9.13 that I need to tweak, or libssh2.  I’m
not sure if I can update libssh2 to a newer version, as 1.4.3 is the latest available in the
RHEL 7.4 patch trail.

Can you remind/post the changes made to make the SSH server FIPS 140-2 compliant?  You may
have already posted it, so apologies if that's a repeat, but I can try to reproduce and see
what happens.

I do not believe there is anything in Guacamole specifically that deals with this, it should
all be in libssh2, but we can take a look.

-Nick
Mime
View raw message