lavabit / robox

The tools needed to robotically create/configure/provision a large number of operating systems, for a variety of hypervisors, using packer.
633 stars 140 forks source link

fedora33: `update-crypto-policies --set LEGACY` #173

Closed hswong3i closed 3 years ago

hswong3i commented 3 years ago

Upstream SSH has been claiming for a few releases now that:

It is now possible to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.

Also see:

hswong3i commented 3 years ago

@ladar The current implementation (https://github.com/lavabit/robox/pull/173/files#diff-f910de6f4744660a002d304cbe816512bf93f5c5c848581bf062adf2e47c6063R40-R42) should be logically correct:

diff --git a/scripts/fedora33/vagrant.sh b/scripts/fedora33/vagrant.sh
index d320b35..67cd67f 100644
--- a/scripts/fedora33/vagrant.sh
+++ b/scripts/fedora33/vagrant.sh
@@ -36,3 +36,7 @@ chown -R vagrant:vagrant /home/vagrant/.ssh

 # Mark the vagrant box build time.
 date --utc > /etc/vagrant_box_build_time
+
+# Ensures maximum compatibility with legacy systems (64-bit security).
+# https://github.com/hashicorp/vagrant/issues/11783#issuecomment-702100872
+update-crypto-policies --set LEGACY

Though out the entire packer provisioners stage, I could confirm that update-crypto-policies --show is LEGACY.

BTW, after post-processors stage completed and manually vagrant box add the result image, vagrant up still get stuck.

If I manually login though virt console and execute update-crypto-policies --show it resumed as DEFAULT (!!).

Now if execute update-crypto-policies --set LEGACY again, the stuck vagrant up now continuous and complete without error (!?). Moreover, vagrant ssh now working fine, too.

As I am using vagrant-libvirt with virt-sysprep available (i.e. libguestfs-tools installed under Ubuntu 20.04), I guess that maybe resumed by virt-sysprep during vagrant package being called by vagrant post-processors?

UPDATE: no, it shouldn't related to virt-sysprep nor libguestfs-tools, issue still happening even binary/package already removed. Somehow it should be re-initialized during first startup...

hswong3i commented 3 years ago

Even downgrade from packer 1.6.2 to 1.4.5, the update-crypto-policies --set LEGACY still couldn't persist after vagrant package stage, and always rollback as DEFAULT during vagrant up... Sorry I have no more idea about how to fixing this :-(

hswong3i commented 3 years ago

@ladar Oh you already mery this PR ^_^||

BTW, from https://github.com/hashicorp/vagrant/issues/11783#issuecomment-720822960 which goes to https://pagure.io/fedora-kickstarts/pull-request/669#request_diff from official Fedora Vagrant image, the change should be something like:

cat > /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf <<EOF
# For now the vagrant insecure key is an rsa key
# https://github.com/hashicorp/vagrant/issues/11783
PubkeyAcceptedKeyTypes=+ssh-rsa
EOF
ladar commented 3 years ago

@hswong3i I like this new method a lot more. I updated the vagrant.sh module accordingly. The 3.1.2 release is almost finished, but this change should be reflected in the 3.1.4 build.

hswong3i commented 3 years ago

@ladar OMG!!! So this two lines (https://github.com/lavabit/robox/commit/1526688695510cfec850c0b44861f9a6a8e24723#diff-f910de6f4744660a002d304cbe816512bf93f5c5c848581bf062adf2e47c6063R46-R47) are the tricks for keeping the file exists after provisioning!? I had been trying out for more than 2 days but just missing this two lines O_o!?

chcon system_u:object_r:etc_t:s0 /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf
chmod 600 /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf

EDIT: Oh I get it!! So its the SELinux getting me into the trobule, AGAIN!! But why Fedora official vagrant box (https://pagure.io/fedora-kickstarts/blob/master/f/fedora-cloud-base.ks#_29) didn't affected!?

selinux --enforcing
ladar commented 3 years ago

@hswong3i SElinux is enabled in our version as well. You can confirm by running sestatus ...

hswong3i commented 3 years ago

@ladar just try vagrant init generic/fedora33 --box-version 3.1.0 then vagrant up --provider libvirt but still failed due to https://github.com/lavabit/robox/commit/8f0d1f50a7e61e7dd2b6fe63bed9c13706175699 implementation.

Most likely we need your updated version with https://github.com/lavabit/robox/commit/1526688695510cfec850c0b44861f9a6a8e24723 in order to get rid of SELinux related issue ;-)

ladar commented 3 years ago

@hswong3i yes, the issue wasn't fixed in 3.1.0 ... I think the update-crypto-policies fix made it into 3.1.2 which just started uploading... so it should release in the next couple of days (uploads take awhile because of cloud limits).

Either way, I'm starting the 3.1.4 build now, which will include the SSH config fix. That version should be done building by Monday, and should release next week, assuming there aren't too many box build failures.