Filter out Ed25519 keys from default in FIPS mode

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Jakuje · Nov 16, 2021 · 7f69d1e · 7f69d1e
1 parent 71eab11
commit 7f69d1e
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 3 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -74,7 +74,8 @@ __sshd_defaults: {}
 __sshd_os_supported: no
 __sshd_sysconfig_supports_crypto_policy: false
 __sshd_sysconfig_supports_use_strong_rng: false
-
+# The hostkeys not supported in FIPS mode, if applicable
+__sshd_hostkeys_nofips: []
 
 __sshd_runtime_directory: false
 __sshd_runtime_directory_mode: "0755"
diff --git a/meta/10_top.j2 b/meta/10_top.j2
@@ -21,7 +21,11 @@
 {%   elif sshd[key] is defined %}
 {%     set value = sshd[key] %}
 {%   elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
-{%     set value = __sshd_defaults[key] %}
+{%     if key == 'HostKey' and __sshd_fips_mode %}
+{%       set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
+{%     else %}
+{%       set value = __sshd_defaults[key] %}
+{%     endif %}
 {%   endif %}
 {{ render_option(key,value) -}}
 {% endmacro %}

diff --git a/tasks/install.yml b/tasks/install.yml
@@ -22,8 +22,28 @@
     - __sshd_sysconfig_supports_use_strong_rng or __sshd_sysconfig_supports_crypto_policy
   notify: reload_sshd
 
+- name: Check the kernel FIPS mode
+  slurp:
+    src: /proc/sys/crypto/fips_enabled
+  register: __sshd_kernel_fips_mode
+  failed_when: false
+  when:
+    - __sshd_hostkeys_nofips != []
+
+- name: Check the userspace FIPS mode
+  slurp:
+    src: /etc/system-fips
+  register: __sshd_userspace_fips_mode
+  failed_when: false
+  when:
+    - __sshd_hostkeys_nofips != []
+
 - name: Make sure hostkeys are available and have expected permissions
   vars: &share_vars
+    __sshd_fips_mode: >-
+      __sshd_hostkeys_nofips != [] and \
+      (__sshd_kernel_fips_mode.content | b64decode == "1" | bool or \
+       __sshd_kernel_fips_mode.content | b64decode != "0" | bool)
     # This mimics the macro body_option() in sshd_config.j2
     # The explicit to_json filter is needed for Python 2 compatibility
     __sshd_hostkeys_from_config: >-
@@ -32,7 +52,11 @@
       {% elif sshd['HostKey'] is defined %}
         {{ sshd['HostKey'] | to_json }}
       {% elif __sshd_defaults['HostKey'] is defined and not sshd_skip_defaults %}
-        {{ __sshd_defaults['HostKey'] | to_json }}
+        {% if __sshd_fips_mode %}
+          {{ __sshd_defaults['HostKey'] | difference(__sshd_hostkeys_nofips) | to_json }}
+        {% else %}
+          {{ __sshd_defaults['HostKey'] | to_json }}
+        {% endif %}
       {% else %}
         []
       {% endif %}

diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml
@@ -29,3 +29,5 @@ __sshd_os_supported: yes
 __sshd_sysconfig_supports_use_strong_rng: true
 __sshd_hostkey_group: ssh_keys
 __sshd_hostkey_mode: "0640"
+__sshd_hostkeys_nofips:
+  - /etc/ssh/ssh_host_ed25519_key
diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml
@@ -31,3 +31,5 @@ __sshd_sysconfig_supports_use_strong_rng: true
 __sshd_sysconfig_supports_crypto_policy: true
 __sshd_hostkey_group: ssh_keys
 __sshd_hostkey_mode: "0640"
+__sshd_hostkeys_nofips:
+  - /etc/ssh/ssh_host_ed25519_key