From 1b2f4ee7170f7de8509e6733986d9e0b20dd752e Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Mon, 25 Sep 2023 13:27:54 -0400 Subject: [PATCH 1/3] Add reference to key-login document --- docs/gotchas/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/gotchas/index.md b/docs/gotchas/index.md index d3d98f754..92557b5b1 100644 --- a/docs/gotchas/index.md +++ b/docs/gotchas/index.md @@ -15,5 +15,6 @@ The hardening-content shipped with watchmaker includes some content that may res :maxdepth: 1 EL7-sudo.md EL8-X11tunneling.md +EL8-OpenSSHkeyLogins.md ``` From f34dfbbeb2159cf86c12e90942ae9a9c442ce814 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Mon, 25 Sep 2023 13:31:26 -0400 Subject: [PATCH 2/3] SHA-1 deprecation notes --- docs/gotchas/EL8-OpenSSHkeyLogins.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 docs/gotchas/EL8-OpenSSHkeyLogins.md diff --git a/docs/gotchas/EL8-OpenSSHkeyLogins.md b/docs/gotchas/EL8-OpenSSHkeyLogins.md new file mode 100644 index 000000000..2f3be945f --- /dev/null +++ b/docs/gotchas/EL8-OpenSSHkeyLogins.md @@ -0,0 +1,22 @@ +```{eval-rst} +.. image:: ../images/cropped-plus3it-logo-cmyk.png + :width: 140px + :alt: Powered by Plus3 IT Systems + :align: right + :target: https://www.plus3it.com +``` +
+ +# OpenSSH RSAv2 Keys Don't Work (EL8) + +The OpenSSH Daemon shipped with the most-recent versions of RHEL 8 (and derivatives), implements the deprecation of SHA1-signed SSH keys for key-based authentication that's now part of OpenSSH 8.8 and higher. As such, any SSH keys used for key-based authentication will need to be signed using a SHA2 algorithm (SHA-256 or SHA-512). + +For users of self-managed keys, this means that one needs to present an SHA-256 or SHA-512 signed OpenSSH key when using RSAv2 keys for key-based logins. Such keys can be generated in a couple ways: + +* Use either `rsa-sha2-256` or `rsa-sha2-512` when using `ssh-keygen`'s `-t` option for generating a new key +* Use `ssh-keygen` on a FIPS-enabled, EL8+ operating system +* Use a CSP's key-generation tool (AWS's commercial region's EC2 key-generation capability is known to create conformant RSAv2 keys) + +For users of organizationally-issued SSH keys - be they bare files or as delivered via a centrally-managed SmartCard (such as a PIV or CAC) or other token - it will be necessary for the key-user to work with their organization to ensure that updated, conformant keys are issued. + +**Note:** This is not, specifically, a watchmaker issue. However, because most people will encounter the issue after having run watchmaker, we opted to include it in this project's "Gotchas" documentation for the benefit of watchmaker-users that might come here for answers From 69ab7f5a877b4d66538ec79d8fe1994d2e96b454 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Mon, 25 Sep 2023 13:49:09 -0400 Subject: [PATCH 3/3] Flesh out discussion with examples --- docs/gotchas/EL8-OpenSSHkeyLogins.md | 32 +++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/docs/gotchas/EL8-OpenSSHkeyLogins.md b/docs/gotchas/EL8-OpenSSHkeyLogins.md index 2f3be945f..828407266 100644 --- a/docs/gotchas/EL8-OpenSSHkeyLogins.md +++ b/docs/gotchas/EL8-OpenSSHkeyLogins.md @@ -9,8 +9,12 @@ # OpenSSH RSAv2 Keys Don't Work (EL8) +## Background + The OpenSSH Daemon shipped with the most-recent versions of RHEL 8 (and derivatives), implements the deprecation of SHA1-signed SSH keys for key-based authentication that's now part of OpenSSH 8.8 and higher. As such, any SSH keys used for key-based authentication will need to be signed using a SHA2 algorithm (SHA-256 or SHA-512). +## Workarounds + For users of self-managed keys, this means that one needs to present an SHA-256 or SHA-512 signed OpenSSH key when using RSAv2 keys for key-based logins. Such keys can be generated in a couple ways: * Use either `rsa-sha2-256` or `rsa-sha2-512` when using `ssh-keygen`'s `-t` option for generating a new key @@ -19,4 +23,30 @@ For users of self-managed keys, this means that one needs to present an SHA-256 For users of organizationally-issued SSH keys - be they bare files or as delivered via a centrally-managed SmartCard (such as a PIV or CAC) or other token - it will be necessary for the key-user to work with their organization to ensure that updated, conformant keys are issued. -**Note:** This is not, specifically, a watchmaker issue. However, because most people will encounter the issue after having run watchmaker, we opted to include it in this project's "Gotchas" documentation for the benefit of watchmaker-users that might come here for answers +## Symptoms + +Depending on the SSH client, the key may silently fail to work or it may print an error. If an error is printed, it will usually be something like: + +```bash +Load key "/path/to/key-file": error in libcrypto +``` + +With or without the printing of the error, the key will be disqualified and the server will request the client move on to the next-available authentication-metho (usually password). + +_If_ one is able to use other means to access a system and view its logs, one will usually find errors similar to: + +```bash +Feb 09 12:10:50 ip-0a00dc73 sshd[2939]: input_userauth_request: invalid user ec2-user [preauth] +``` + +Or + +```bash +Feb 09 12:10:50 ip-0a00dc73 sshd[2939]: input_userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth] +``` + +In the `/var/log/secure` logs. + + + +**Note:** The deprecated SHA-1 issuse is not a watchmaker issue. It is generically applicable to Red Hat's OpenSSH version on EL8-bsed systems. However, because most people will encounter the issue after having run watchmaker, we opted to include it in this project's "Gotchas" documentation for the benefit of watchmaker-users that might come here for answers