From nobody Sun May 5 03:06:45 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1658754617; cv=none; d=zohomail.com; s=zohoarc; b=GnofULQ8TNxVPH2GjDxN5sqnWwxaiyAu+5sQrIzmRNkS4TziqaJIUMHYsCcR+sDDpW/TFUb48e88jBzkhmXeTdfyP5U8oqXOOgZZRuZljkJFK00PMD1p0DJH9E34ceghvaFDxUnIcSJhuko9/5ARM+cqoPHN0jz4OorOWEM/f04= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1658754617; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=annd+r/qhsscA0cW5kcXfIlbVjTkCHb/zlWeFKW+Sqc=; b=f681ijkhvYb9dz4YHgLgq3tzv8TGlxbIpk7ywcvPnOvVF5Nv1/2ZY/79diNqSJH8yLibnbxGy66RfaW5pyT43mEZndYpK37W7tGjfsFTke466ATbPB2VyKC0wmQDVzAS+LqlI6P80VzT7Tuyqn8TFLjpeKcnTDy6XyowqQoelq0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1658754617493741.0378934468688; Mon, 25 Jul 2022 06:10:17 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-56-zO6Qvxo3Pd2qj614twKu3A-1; Mon, 25 Jul 2022 09:10:09 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5903388741C; Mon, 25 Jul 2022 13:09:44 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id B7E6594584; Mon, 25 Jul 2022 13:09:43 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 8C1011945D83; Mon, 25 Jul 2022 13:09:43 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 294721945D81 for ; Mon, 25 Jul 2022 13:09:42 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 1883C40466AA; Mon, 25 Jul 2022 13:09:42 +0000 (UTC) Received: from devr9.home.annexia.org (unknown [10.39.194.225]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3D32940CFD0B; Mon, 25 Jul 2022 13:09:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1658754616; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=annd+r/qhsscA0cW5kcXfIlbVjTkCHb/zlWeFKW+Sqc=; b=ElJ/e2/9n8nY/S+JnNo1rFmbteAtLrL1Y0JKjqyYFVI3bKKSgCIKqGoWLd7ieVAweHJum/ P603VenZOVNgu1nb8oQbf9MtyVQ/b6SKkRZphpv8kqNbMkAw7mCnmQY5Nz5iKpjHFZe1xo 0hU1KO8Tj0r0sWo200YOVgtW2C8hXzk= X-MC-Unique: zO6Qvxo3Pd2qj614twKu3A-1 X-Original-To: libvir-list@listman.corp.redhat.com From: "Richard W.M. Jones" To: libvir-list@redhat.com Subject: [PATCH] rpc: Pass OPENSSL_CONF through to ssh invocations Date: Mon, 25 Jul 2022 14:09:39 +0100 Message-Id: <20220725130939.1200674-1-rjones@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: lersek@redhat.com Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1658754619687100001 Content-Type: text/plain; charset="utf-8"; x-default="true" It's no longer possible for libvirt to connect over the ssh transport from RHEL 9 to RHEL 5. This is because SHA1 signatures have been effectively banned in RHEL 9 at the openssl level. They are required to check the RHEL 5 host key. Note this is a separate issue from openssh requiring additional configuration in order to connect to older servers. Connecting from a RHEL 9 client to RHEL 5 server: $ cat ~/.ssh/config Host 192.168.0.91 KexAlgorithms +diffie-hellman-group14-sha1 MACs +hmac-sha1 HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa $ virsh -c 'qemu+ssh://root@192.168.0.91/system' list error: failed to connect to the hypervisor error: Cannot recv data: ssh_dispatch_run_fatal: Connection to 192.168.0.91= port 22: error in libcrypto: Connection reset by peer "error in libcrypto: Connection reset by peer" is the characteristic error of openssl having been modified to disable SHA1 by default. (You will not see this on non-RHEL-derived distros.) You could enable the legacy crypto policy which downgrades security on the entire host, but a more fine-grained way to do this is to create an alternate openssl configuration file that enables the "forbidden" signatures. However this requires passing the OPENSSL_CONF environment variable through to ssh to specify the alternate configuration. Libvirt filters out this environment variable, but this commit allows it through. With this commit: $ cat /var/tmp/openssl.cnf .include /etc/ssl/openssl.cnf [openssl_init] alg_section =3D evp_properties [evp_properties] rh-allow-sha1-signatures =3D yes $ OPENSSL_CONF=3D/var/tmp/openssl.cnf ./run virsh -c 'qemu+ssh://root@192.1= 68.0.91/system' list root@192.168.0.91's password: Id Name State Acked-by: Laszlo Ersek Reviewed-by: Michal Privoznik -------------------- Essentially my argument here is that OPENSSL_CONF is sufficiently similar in nature to KRB5CCNAME, SSH* and XAUTHORITY that we should permit it to be passed through. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=3D2062360 Signed-off-by: Richard W.M. Jones --- src/rpc/virnetsocket.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c index 32f506d2d4..8280bda007 100644 --- a/src/rpc/virnetsocket.c +++ b/src/rpc/virnetsocket.c @@ -855,6 +855,7 @@ int virNetSocketNewConnectSSH(const char *nodename, virCommandAddEnvPass(cmd, "KRB5CCNAME"); virCommandAddEnvPass(cmd, "SSH_AUTH_SOCK"); virCommandAddEnvPass(cmd, "SSH_ASKPASS"); + virCommandAddEnvPass(cmd, "OPENSSL_CONF"); virCommandAddEnvPass(cmd, "DISPLAY"); virCommandAddEnvPass(cmd, "XAUTHORITY"); virCommandClearCaps(cmd); --=20 2.31.1