-
Notifications
You must be signed in to change notification settings - Fork 588
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Leaked host key check: Avoid false positives from FIPS mode #748
Conversation
Enabling FIPS (Federal Information Processing Standards) mode may cause ssh-keygen's MD5-based fingerprint generation to fail, resulting in a message on stderr and a blank fingerprint string. A grep search for an empty string succeeds so a blank fingerprint is reported as a leaked host key.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this general solution. Thanks for the write up and the fix 👍
The macos CI failure here is a known failure, so I think this is good to merge @mumfy |
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Up date
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok
Enabling FIPS (Federal Information Processing Standards) mode on the backup server
may cause
ssh-keygen
's MD5-based fingerprint generation to fail.A "fingerprint_one_key: sshkey_fingerprint failed" message is written to stderr
whilst nothing is written to stdout, so the
fingerprint
variable is blank.A grep search for an empty string succeeds, so
ghe-detect-leaked-ssh-keys
reports that a leaked hostkey was found.
This change detects this condition and the final output says if the hostkey check was skipped.
closes: #749