Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1007133 - PRD35 - [RFE][host-deploy] support more ciphers for ssh - upgrade apache-sshd to 0.11.0
Summary: PRD35 - [RFE][host-deploy] support more ciphers for ssh - upgrade apache-sshd...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.5.0
Assignee: Alon Bar-Lev
QA Contact: Jiri Belka
URL:
Whiteboard: infra
Depends On: 1013333 1094123
Blocks: rhev3.5beta 1156165
TreeView+ depends on / blocked
 
Reported: 2013-09-12 01:30 UTC by Aval
Modified: 2018-12-03 19:56 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-11 17:54:52 UTC
oVirt Team: Infra
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 19586 None None None Never
oVirt gerrit 26777 None None None Never
Red Hat Knowledge Base (Solution) 480653 None None None Never
Red Hat Product Errata RHSA-2015:0158 normal SHIPPED_LIVE Important: Red Hat Enterprise Virtualization Manager 3.5.0 2015-02-11 22:38:50 UTC

Description Aval 2013-09-12 01:30:23 UTC
Description of problem: SSH communication error while adding a RHEL host to RHEV-M. When RHEL host is customized/configured to use non-default cipher list for SSH, it cannot be added to RHEV-M.

The engine.log contains below error

2013-08-23 09:17:53,387 ERROR [org.ovirt.engine.core.utils.hostinstall.VdsInstallerSSH] (http-/0.0.0.0:8443-4) Could not connect to server 128.165.232.103: java.io.IOException: SSH session closed during connection '128.165.232.103:22'

The /var/log/messages on RHEL host contains below error

Aug 28 08:53:07 celerity-hst3 sshd[28499]: fatal: no matching cipher found: 
client aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc 
server aes128-ctr,aes192-ctr,aes256-ctr 


This prevents customers from using far more secure CTR ciphers, as we use default CBC ciphers.

Version-Release number of selected component (if applicable):
rhevm-3.1.0-55.el6ev.noarch
Apache sshd-core.version : 0.7.0

How reproducible:
Edit sshd config file on RHEL host to add custom ciphers, then try adding it to RHEV-M. It will fail with SSH error.

Steps to Reproduce:
1.Edit /etc/ssh/sshd_config file on RHEL host and add below line
Ciphers aes128-ctr,aes192-ctr,aes256-ctr  

2.# service sshd restart

3. Try to add RHEL host to RHEV-M

Actual results:
Not able to add host due to SSH communication error

Expected results:
Host should be added into RHEV-M

Additional info:

We still use sshd-core version 0.7.0, although Apache has already added the support of Non-CBC ciphers in version 0.8.0 due to security vulnerability (chosen-plaintext attacks) in CBC ciphers used.

Due to older version we restrict cutomers from using Non-CBC ciphers and make there RHEL hosts vulnerable to security attacks. 

Note : Even RHEV-M 3.2 uses the same version 0.7.0

Comment 1 Aval 2013-09-12 01:40:12 UTC
Due to older version , SSHClient used in RHEV-M uses only CBC ciphers. 
Version used in rhevm backend
==
pom.xml:    <sshd-core.version>0.7.0</sshd-core.version>
==

Ciphers used in Apache sshd-core 0.7.0
==
    avail.add(new AES128CBC.Factory()); 
    avail.add(new TripleDESCBC.Factory());
    avail.add(new BlowfishCBC.Factory());
    avail.add(new AES192CBC.Factory());
    avail.add(new AES256CBC.Factory());
==

Ciphers used in Apache sshd-core 0.8.0
==
    //Newly added after a security bug fix
    avail.add(new AES128CTR.Factory());
    avail.add(new AES256CTR.Factory());
    avail.add(new ARCFOUR128.Factory());
    avail.add(new ARCFOUR256.Factory());

    avail.add(new AES128CBC.Factory());
    avail.add(new TripleDESCBC.Factory());
    avail.add(new BlowfishCBC.Factory());
    avail.add(new AES192CBC.Factory());
    avail.add(new AES256CBC.Factory());
==

Comment 2 Alon Bar-Lev 2013-09-12 06:03:15 UTC
Itamar,

Good example of what we just discussed.

Current state is:

PACKAGE                      POM              FC19         EL6
apache-mina                  2.0.1            2.0.4-6      N/A
apache-sshd                  0.7.0            0.7.0-3      N/A

So even fedora 19 does not support this mode.

We can provide our own jars for EL6 to meet functionality requirement as it is not packages in EL6 (advantage?).

Then downgrade this and lose functionality in fedora as we want to use system jars. Or, depend on >=0.8.0 and force someone to provide correct rpms (us?).

Comment 3 Aval 2013-09-13 03:14:59 UTC
Customer wants to know, if for the temporary workaround can they use default SSH cipher settings to register host, later change the SSH cipher settings back to what they prefer. 

Will it break RHEV environment?

Apart from Install/Upgrade, for what other functions/operations do we need SSH communication between [ manager <==> host ] in RHEV environment?

Comment 4 Alon Bar-Lev 2013-09-13 06:20:57 UTC
(In reply to Aval from comment #3)
> Customer wants to know, if for the temporary workaround can they use default
> SSH cipher settings to register host, later change the SSH cipher settings
> back to what they prefer. 
> 
> Will it break RHEV environment?

It will not break rhev-3.2.

> Apart from Install/Upgrade, for what other functions/operations do we need
> SSH communication between [ manager <==> host ] in RHEV environment?

In rhev-3.3 a new feature is using ssh which is software fencing, so software fencing will not be available.

Apart from that there is the log-collector which relays on ssh, it currently uses the ssh command.

Comment 16 Alon Bar-Lev 2013-09-23 16:36:45 UTC
 Arthur Berezin 2013-09-23 09:34:44 EDT
> Target Release: 3.3.0 → 3.4.0
> Flags: rhevm-3.3.0? → rhevm-3.4.0?

As this is going to 3.4.0 now, it is not important so much for now.

Comment 17 Alon Bar-Lev 2013-09-25 20:03:48 UTC
Not a solution, but allows clean site specific workaround.

commit 691442bea852ea4ebac95f59ac8e3c767fe543ee
Author: Alon Bar-Lev <alonbl@redhat.com>
Date:   Wed Sep 25 22:56:17 2013 +0300

    packaging: support modifying java module path
    
    if a customer need to have more recent version of module, he currently
    have no way to apply except of replacing pre-installed files.
    
    this change allows customer to add his own module path to search path to
    shadow product modules.
    
    Change-Id: Ibda53f67fa801cf4eb00b11483e9a6ab712d4d74
    Signed-off-by: Alon Bar-Lev <alonbl@redhat.com>

---

In this case, this will enable customer to shadow product mina-core.jar and sshd-core.jar with newer versions.

Comment 21 Barak 2014-02-04 11:08:17 UTC
Moving to rhevm-future,
The mechanism to override the product's jboss modules  was added to 3.3,
Once a newer/stable apache-sshd version will be available this issue will be solvable within the product itself.

Comment 23 Barak 2014-03-03 19:27:48 UTC
Added improvement keyword.
Moved back to rhevm-future

Comment 24 Alon Bar-Lev 2014-05-04 17:22:27 UTC
apache-sshd-0.11.0 is out, finally all issues are resolved so we can use it.

Comment 27 Jiri Belka 2014-06-13 13:42:46 UTC
Doubts about aes192-ctr, a mail sent to rhev-devel list.

Comment 28 Jiri Belka 2014-06-17 14:58:20 UTC
ok, ovirt-3.5-pre

Comment 30 errata-xmlrpc 2015-02-11 17:54:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0158.html


Note You need to log in before you can comment on or make changes to this bug.