[Satellite6] Remote Execution fail with FIPS enabled on client

Solution Verified - Updated 9 Feb 2022

Environment

Red Hat Satellite 6.x

Issue

Satellite Remote Execution job will fail on client with FIPS mode enabled.

Error initializing command: Net::SSH::HostKeyMismatch - fingerprint (could not generate fingerprint: Digest initialization failed: disabled for fips) does not match for "IP"

Resolution

Use "Ansible Commands" or "Install errata - Katello ansible default" instead of Remote Execution
Change FIPS to another crypo policy
Change crypto policy for OpenSSH server only as below, this will make your OpenSSH not FIPS compliant, more information in Solution 4906221

Please check if message from Diagnostic Steps is the same as in your case.

userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]

As we can see ssh-rsa is not allowed as Pubkey Type.

edit /etc/crypto-policies/back-ends/opensshserver.config and add ssh-rsa type to -oPubkeyAcceptedKeyTypes

CRYPTO_POLICY='... -oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa ...'

After that restart your sshd service

# systemctl restart sshd

Try again Remote Execution on this client.

For more KB articles/solutions related to Red Hat Satellite 6.x Remote Execution Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Remote Execution Issues

Root Cause

Ruby ssh implementation will change key type from ssh-rsa2-512 to ssh-rsa.
Current crypto-policies on client do not allow Pubkey Type ssh-rsa.

Diagnostic Steps

on client check journalctl during Remote Execution start

# journalctl -f
Aug 26 11:47:54 client.example.com sshd[36555]: FIPS mode initialized
Aug 26 11:47:54 client.example.com sshd[36555]: Using arbitrary primes is not allowed in FIPS mode. Falling back to known groups.
Aug 26 11:47:54 client.example.com sshd[36555]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
Aug 26 11:47:54 client.example.com sshd[36555]: Connection closed by authenticating user username xxx.xxx.xxx.xxx port 49080 [preauth]

Also verify crypto-policy setting on client

# cat /etc/crypto-policies/back-ends/opensshserver.conf
CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521'

From above you can see that ssh-rsa type is not in -oPubkeyAcceptedKeyTypes

-oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com

SBR

SysMgmt

Product(s)

Red Hat Satellite

Category

Troubleshoot

Tags

fips
ssh

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.