[Bug 3603] New: ssh clients can't communicate with server with default cipher when fips is enabled at server end

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Aug 17 17:18:35 AEST 2023


            Bug ID: 3603
           Summary: ssh clients can't communicate with server with default
                    cipher when fips is enabled at server end
           Product: Portable OpenSSH
           Version: 9.4p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sshedi at vmware.com


This seems like a regression at first but there is a way to work around

When fips is enabled at server end and server has the following cipher

root at phdev:~ $ sshd -T | grep ciphers
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com

root at phdev:~ $ rpm -q openssh
openssh-9.1p1-10.ph5.x86_64 (this happens with 9.4p1 as well)

The handshake with client starts with chacha20-poly1305 and this cipher
is not fips complaint.

I'm not sure what the intention was but in this commit:

chacha20 cipher was promoted.

At the client end, "ssh user at IP" doesn't work and aborts almost

To workaround this issue, we need to do:

"ssh -c aes128-ctr user at IP"

In place of aes128-ctr, we can use any other algo which is fips
complaint (aes256-ctr, aes192-ctr etc).

Expected result:
ssh server should handle this gracefully.

Possible solutions:

1. Change the cipher order in KEX_SERVER_ENCRYPT (myproposal.h)

2. Use the same order but tweak the cipher list at run time based on
fips status in the system.

We did something like in PhotonOS 3.0:

But we are unsure about the issue this might cause.

3. Server should send a proper error message to client in this case
showing some details on what went wrong; currently client simply aborts
with zero info.

4. If fips is enabled and sshd_config has ciphers which are
incompatible in fips mode, sshd should throw a warning and use the next
available fips complaint cipher from the list.

Even now, we can do the following in sshd_config,

aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com

But we have to do it in all the server instances. I think this should
be handled by server considering fips scenario.

Please feel free to correct me if I'm wrong here.

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list