From c6ea67c481a2f447951449bd9b2746cfaaf385fd Mon Sep 17 00:00:00 2001

Message-Id: <c6ea67c481a2f447951449bd9b2746cfaaf385fd@dist-git>

From: "Richard W.M. Jones" <rjones@redhat.com>

Date: Mon, 25 Jul 2022 14:09:39 +0100

Subject: [PATCH] rpc: Pass OPENSSL_CONF through to ssh invocations

It's no longer possible for libvirt to connect over the ssh transport

from RHEL 9 to RHEL 5.  This is because SHA1 signatures have been

effectively banned in RHEL 9 at the openssl level.  They are required

to check the RHEL 5 host key.  Note this is a separate issue from

openssh requiring additional configuration in order to connect to

older servers.

Connecting from a RHEL 9 client to RHEL 5 server:

$ cat ~/.ssh/config

Host 192.168.0.91

  KexAlgorithms            +diffie-hellman-group14-sha1

  MACs                     +hmac-sha1

  HostKeyAlgorithms        +ssh-rsa

  PubkeyAcceptedKeyTypes   +ssh-rsa

  PubkeyAcceptedAlgorithms +ssh-rsa

$ virsh -c 'qemu+ssh://root@192.168.0.91/system' list

error: failed to connect to the hypervisor

error: Cannot recv data: ssh_dispatch_run_fatal: Connection to 192.168.0.91 port 22: error in libcrypto: Connection reset by peer

"error in libcrypto: Connection reset by peer" is the characteristic

error of openssl having been modified to disable SHA1 by default.

(You will not see this on non-RHEL-derived distros.)

You could enable the legacy crypto policy which downgrades security on

the entire host, but a more fine-grained way to do this is to create

an alternate openssl configuration file that enables the "forbidden"

signatures.  However this requires passing the OPENSSL_CONF

environment variable through to ssh to specify the alternate

configuration.  Libvirt filters out this environment variable, but

this commit allows it through.  With this commit:

$ cat /var/tmp/openssl.cnf

.include /etc/ssl/openssl.cnf

[openssl_init]

alg_section = evp_properties

[evp_properties]

rh-allow-sha1-signatures = yes

$ OPENSSL_CONF=/var/tmp/openssl.cnf ./run virsh -c 'qemu+ssh://root@192.168.0.91/system' list

root@192.168.0.91's password:

 Id   Name   State

--------------------

Essentially my argument here is that OPENSSL_CONF is sufficiently

similar in nature to KRB5CCNAME, SSH* and XAUTHORITY that we should

permit it to be passed through.

virt-v2v bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062360

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>

Acked-by: Laszlo Ersek <lersek@redhat.com>

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

(cherry picked from commit 45912ac399abd9d4eba21fa3f15cb7587351f959)

Libvirt BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2112348

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

---

 src/rpc/virnetsocket.c | 1 +

 1 file changed, 1 insertion(+)

diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c

index 32f506d2d4..8280bda007 100644

--- a/src/rpc/virnetsocket.c

+++ b/src/rpc/virnetsocket.c

@@ -855,6 +855,7 @@ int virNetSocketNewConnectSSH(const char *nodename,

     virCommandAddEnvPass(cmd, "KRB5CCNAME");

     virCommandAddEnvPass(cmd, "SSH_AUTH_SOCK");

     virCommandAddEnvPass(cmd, "SSH_ASKPASS");

+    virCommandAddEnvPass(cmd, "OPENSSL_CONF");

     virCommandAddEnvPass(cmd, "DISPLAY");

     virCommandAddEnvPass(cmd, "XAUTHORITY");

     virCommandClearCaps(cmd);

-- 

2.35.1