Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Leaked host key check: Avoid false positives from FIPS mode #748

Merged
merged 1 commit into from
Jul 6, 2021
Merged

Leaked host key check: Avoid false positives from FIPS mode #748

merged 1 commit into from
Jul 6, 2021

Conversation

mumfy
Copy link
Contributor

@mumfy mumfy commented Jun 18, 2021
edited
Loading

Enabling FIPS (Federal Information Processing Standards) mode on the backup server
may cause ssh-keygen's MD5-based fingerprint generation to fail.

A "fingerprint_one_key: sshkey_fingerprint failed" message is written to stderr
whilst nothing is written to stdout, so the fingerprint variable is blank.

A grep search for an empty string succeeds, so ghe-detect-leaked-ssh-keys
reports that a leaked hostkey was found.

This change detects this condition and the final output says if the hostkey check was skipped.

closes: #749

@mumfy
Leaked host key check: Avoid false positives from FIPS mode
aeb9865 
Enabling FIPS (Federal Information Processing Standards) mode
may cause ssh-keygen's MD5-based fingerprint generation to fail,
resulting in a message on stderr and a blank fingerprint string.

A grep search for an empty string succeeds so a blank fingerprint
is reported as a leaked host key.
@djdefi djdefi requested a review from a team June 21, 2021 16:55
bwestover
bwestover approved these changes Jun 22, 2021
View reviewed changes
Copy link
Contributor

@bwestover bwestover left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this general solution. Thanks for the write up and the fix 👍

KarlaKennedydian referenced this pull request Jun 30, 2021
@Samirat
Merge branch 'master' into samirat/add_backup_cadence_to_appliance
2a85d41
@djdefi
Copy link
Member

djdefi commented Jun 30, 2021

The macos CI failure here is a known failure, so I think this is good to merge @mumfy

@mumfy mumfy merged commit 603bf21 into master Jul 6, 2021
@mumfy mumfy deleted the mumfy/leaked-key-check-improvement branch July 6, 2021 00:39
@Dwayne227

This comment has been minimized.

Sign in to view
MintThitiratChamnan
MintThitiratChamnan reviewed Aug 8, 2021
View reviewed changes
Copy link

@MintThitiratChamnan MintThitiratChamnan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Up date

This was referenced Sep 9, 2021
Merged
Merged
@rigrell28

This comment has been minimized.

Sign in to view
@rigrell28

This comment has been minimized.

Sign in to view
rigrell28
rigrell28 reviewed Sep 11, 2021
View reviewed changes
Copy link

@rigrell28 rigrell28 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok

@domofactor domofactor mentioned this pull request Sep 16, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rigrell28 rigrell28 rigrell28 left review comments

@MintThitiratChamnan MintThitiratChamnan MintThitiratChamnan left review comments

@bwestover bwestover bwestover approved these changes

Assignees
No one assigned
Labels
backup utils bug
Projects
None yet
Milestone
No milestone
6 participants
@mumfy @djdefi @Dwayne227 @rigrell28 @bwestover @MintThitiratChamnan