Mailing List Archive

Getting "key_demote: error in libcrypto" error when using OpenSSH 7.6p1 with OpenSSL in FIPS mode
Hello All

I posted this query on comp.security.ssh but haven't got any response
to it so far. I'd appreciate if I can get any help to resolve this
issue.

I have a CentOS 6 system that is running OpenSSH version 7.6p1 built
with OpenSSL 1.0.2o. The OpenSSL is built with FIPS module 2.0.16. I
have a python based pluggable authenticataion module configured using
pam_python 1.0.6 and Python 2.7.10.

When I use a ssh client to login to this system, the connection is
immediately closed by the system. This happens whether I login using
password or key.

Checking the /var/log/secure I see following error:

sshd[11255]: fatal: key_demote: error in libcrypto

Checking OpenSSH code I think this is happening when the server is
demoting private keys to public keys. The problem I have tracked down
is because of an import in the PAM python module which eventually
imports the python's _ssl module. A dummy PAM python module with just
this import reproduces the issue.

Here is the dummy PAM python module that I am using to repro the issue:

-----
#!/opt/bin/python

import _ssl

def pam_sm_authenticate(pamh, flags, argv):
return pamh.PAM_SUCCESS

def pam_sm_setcred(pamh, flags, argv):
return pamh.PAM_SUCCESS

def pam_sm_open_session(pamh, flags, argv):
return pamh.PAM_SUCCESS

def pam_sm_close_session(pamh, flags, argv):
return pamh.PAM_SUCCESS

def pam_sm_acct_mgmt(pamh, flags, argv):
return pamh.PAM_SUCCESS

-----

Any help is very much appreciated in resolving or understanding this
issue. If there is any other information that may be helpful in
understanding this issue, please let me know.

Thanks
Arshad
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Getting "key_demote: error in libcrypto" error when using OpenSSH 7.6p1 with OpenSSL in FIPS mode [ In reply to ]
Hi Roumen

Thanks for your reply.

We used to have openssh compiled with older fips openssl and it worked
fine. Now due to some system updates, we have to update openssl and
recompile openssh with the newer version and it now fails when the
system is in fips mode.

Could you or someone on the forum help me understand this key demotion
step. What is it and how does it work? May be I can try my luck and
see if I can come up with a fix.

Thanks and regards
Arshad
Arshad
On Sat, Nov 10, 2018 at 1:32 AM ????? ?????? <pkixssh@roumenpetrov.info> wrote:
>
> Hello Arshad,
>
> Arshad Khan wrote:
> > Hello All
> >
> > I posted this query on comp.security.ssh but haven't got any response
> > to it so far. I'd appreciate if I can get any help to resolve this
> > issue.
>
> I guess you choose wrong project .
> It is long story about OpenBSD community and world.
>
> > I have a CentOS 6 system that is running OpenSSH version 7.6p1 built
> > with OpenSSL 1.0.2o. The OpenSSL is built with FIPS module 2.0.16.
>
> OpenBSD refuses to accept modification that allows ssh programs to work
> with cryptographic library run in FIPS mode. It is not just about
> OpenBSD refusal of community patches. One of issues is that OpenBSD uses
> outdated OpenSSL API - some functions are not allowed in FIPS mode.
>
> So RedHat and respective CentOS distribute heavy patched version build
> against custom FIPS validated openssl.
>
> If you like to use FIPS enabled SSH then PKIX-SSH is exactly for you -
> work with FIPS enabled versions of OpenSSL, RedHat , Solaris (see link
> in signature below) .
>
> Let me know if you need some hints for build with FIPS enabled OpenSSL
> library.
>
>
>
> > I
> > have a python based pluggable authenticataion module configured using
> > pam_python 1.0.6 and Python 2.7.10.
> >
> > When I use a ssh client to login to this system, the connection is
> > immediately closed by the system. This happens whether I login using
> > password or key.
> >
> > Checking the /var/log/secure I see following error:
> >
> > sshd[11255]: fatal: key_demote: error in libcrypto
> >
> > [SNIP]
>
> Hmm, from above message is not clear what is reason for failure.
> If OpenSSL is in FIPS mode is expected OpenBSD version to crash, not to
> raise error.
>
>
> > Thanks
> > Arshad
> > _____
>
> Regard,
> Roumen Petrov
>
> --
> Advanced secure shell implementation with X.509 certificate support
> http://roumenpetrov.info/secsh/
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev