search

plus3it / spel

STIG-Partitioned Enterprise Linux (spel)
Other
94 stars 61 forks source link

[BUG] FIPS-Mode on OL9 is too fascist for Packer's default SSH Communicator KEX #680

Closed ferricoxide closed 5 months ago

ferricoxide commented 5 months ago

Expected behavior

Packer builds run per normal

Actual behavior

Packer builds hang when attempting to connect via SSH

Steps to reproduce behavior

  1. Run standard Packer jobs (in CodeBuild)
  2. Wait for job(s) to fail with SSH communicator timeouts for Oracle Linux 9
  3. Investigate the failing EC2s. Find: 
    Apr  9 18:52:43 ip-172-31-47-57 sshd[1460]: input_kex_gen_init: Key exchange type c25519 is not allowed in FIPS mode [preauth]
Apr  9 18:52:43 ip-172-31-47-57 sshd[1460]: ssh_dispatch_run_fatal: Connection from 217.114.38.123 port 51540: invalid argument [preauth]

    In the /var/log/secure log-file

Context/Specifications

Things like:

Suggestions for fix

Update the Packer build-spec for AWS EBS. Add the ssh_key_exchange_algorithms parameter and define the allowed KEX algorithms minus Curve 25519 like so:

ssh_key_exchange_algorithms           = [
                                          "ecdh-sha2-nistp521",
                                          "ecdh-sha2-nistp256",
                                          "ecdh-sha2-nistp384",
                                          "ecdh-sha2-nistp521",
                                          "diffie-hellman-group14-sha1",
                                          "diffie-hellman-group1-sha1"
                                        ]

Relevant references