fedora33: `update-crypto-policies --set LEGACY`

lavabit / robox

The tools needed to robotically create/configure/provision a large number of operating systems, for a variety of hypervisors, using packer.

626 stars 139 forks source link

fedora33: `update-crypto-policies --set LEGACY` #175

Closed hswong3i closed 3 years ago

hswong3i commented 3 years ago

Follow up for https://github.com/lavabit/robox/pull/173, where both files are still missing during initial vagrant up:

/etc/polkit-1/rules.d/49-vagrant.rules
/etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf

In case it is SELinux related, at least chcon is just used for temporary changes but not as persistent as semanage fcontext should be.

hswong3i commented 3 years ago

@ladar something I had tried:

Install polkit in scripts/fedora33/dnf.sh: though out all provisioning (even until scripts/common/lockout.sh), both /etc/polkit-1/rules.d/49-vagrant.rules and /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf are existing with correct setup; BTW once vagrant up it rollback as nothing
Setting SELINUX=permissive: similar as above, also get rollback as SELINUX=enforcing after initial vagrant up

hswong3i commented 3 years ago

@ladar I checked with https://app.vagrantup.com/fedora/boxes/33-cloud-base, their patch exists and working during initial vagrant up, where vagrant ssh also working perfectly:

[vagrant@cheph9ohg3he-1 ~]$ sudo su -
[root@cheph9ohg3he-1 ~]# ls -la /etc/ssh/sshd_config.d/
total 16
drwx------. 2 root root 4096 Oct 19 23:41 .
drwxr-xr-x. 4 root root 4096 Nov  8 06:17 ..
-rw-r--r--. 1 root root  133 Oct 19 23:41 10-vagrant-insecure-rsa-key.conf
-rw-------. 1 root root 1002 Sep 29 14:03 50-redhat.conf
[root@cheph9ohg3he-1 ~]# cat /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf 
# For now the vagrant insecure key is an rsa key
# https://github.com/hashicorp/vagrant/issues/11783
PubkeyAcceptedKeyTypes=+ssh-rsa

ladar commented 3 years ago

I looked this over. I don't think its needed. It changes the file system contexts/permissions, but I don't think new context is correct for the given directories (if there is such a think as "correct").

My guess is the files aren't showing up is because your using the 3.1.0 boxes which don't have this change. About 24 hours ago I released the latest boxes (3.1.2) and based on my testing, they work just. These boxes contain theupdate-crypto-policies --set LEGACY fix.

A new set of boxes should be uploading over the next few days (aka 3.1.2, and some of those Fedora 33 boxes will have the newer fix. I think all, just not sure.

Either way, I'm kicking off the 3.1.6 today, and I know all of those boxes will have the current fix when they upload. So I'm gonna close this ticket. If you still have trouble once the 3.1.6 boxes upload, please reopen it.

hswong3i commented 3 years ago

A new set of boxes should be uploading over the next few days (aka 3.1.2, and some of those Fedora 33 boxes will have the newer fix. I think all, just not sure.

Confirmed 3.1.2 including update-crypto-policies --set LEGACY fix:

$ vagrant box list | grep fedora33
generic/fedora33     (libvirt, 3.1.2)
$ vagrant ssh
Last login: Wed Nov 11 03:54:37 2020 from 192.168.121.1
[vagrant@ugaeg9geicuz-1 ~]$ sudo su -
Last login: Wed Nov 11 03:54:40 UTC 2020 on pts/0
[root@ugaeg9geicuz-1 ~]# update-crypto-policies --show
LEGACY