libvirt-8.5.0-5.el9

- rpc: Pass OPENSSL_CONF through to ssh invocations (rhbz#2112348)

Resolves: rhbz#2112348
This commit is contained in:
Jiri Denemark 2022-08-04 18:05:01 +02:00
parent fe7f49b39b
commit 8f8d3c879c
2 changed files with 87 additions and 1 deletions

View File

@ -0,0 +1,82 @@
From c6ea67c481a2f447951449bd9b2746cfaaf385fd Mon Sep 17 00:00:00 2001
Message-Id: <c6ea67c481a2f447951449bd9b2746cfaaf385fd@dist-git>
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Mon, 25 Jul 2022 14:09:39 +0100
Subject: [PATCH] rpc: Pass OPENSSL_CONF through to ssh invocations
It's no longer possible for libvirt to connect over the ssh transport
from RHEL 9 to RHEL 5. This is because SHA1 signatures have been
effectively banned in RHEL 9 at the openssl level. They are required
to check the RHEL 5 host key. Note this is a separate issue from
openssh requiring additional configuration in order to connect to
older servers.
Connecting from a RHEL 9 client to RHEL 5 server:
$ cat ~/.ssh/config
Host 192.168.0.91
KexAlgorithms +diffie-hellman-group14-sha1
MACs +hmac-sha1
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
$ virsh -c 'qemu+ssh://root@192.168.0.91/system' list
error: failed to connect to the hypervisor
error: Cannot recv data: ssh_dispatch_run_fatal: Connection to 192.168.0.91 port 22: error in libcrypto: Connection reset by peer
"error in libcrypto: Connection reset by peer" is the characteristic
error of openssl having been modified to disable SHA1 by default.
(You will not see this on non-RHEL-derived distros.)
You could enable the legacy crypto policy which downgrades security on
the entire host, but a more fine-grained way to do this is to create
an alternate openssl configuration file that enables the "forbidden"
signatures. However this requires passing the OPENSSL_CONF
environment variable through to ssh to specify the alternate
configuration. Libvirt filters out this environment variable, but
this commit allows it through. With this commit:
$ cat /var/tmp/openssl.cnf
.include /etc/ssl/openssl.cnf
[openssl_init]
alg_section = evp_properties
[evp_properties]
rh-allow-sha1-signatures = yes
$ OPENSSL_CONF=/var/tmp/openssl.cnf ./run virsh -c 'qemu+ssh://root@192.168.0.91/system' list
root@192.168.0.91's password:
Id Name State
--------------------
Essentially my argument here is that OPENSSL_CONF is sufficiently
similar in nature to KRB5CCNAME, SSH* and XAUTHORITY that we should
permit it to be passed through.
virt-v2v bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062360
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 45912ac399abd9d4eba21fa3f15cb7587351f959)
Libvirt BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2112348
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/rpc/virnetsocket.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 32f506d2d4..8280bda007 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -855,6 +855,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
virCommandAddEnvPass(cmd, "KRB5CCNAME");
virCommandAddEnvPass(cmd, "SSH_AUTH_SOCK");
virCommandAddEnvPass(cmd, "SSH_ASKPASS");
+ virCommandAddEnvPass(cmd, "OPENSSL_CONF");
virCommandAddEnvPass(cmd, "DISPLAY");
virCommandAddEnvPass(cmd, "XAUTHORITY");
virCommandClearCaps(cmd);
--
2.35.1

View File

@ -231,7 +231,7 @@
Summary: Library providing a simple virtualization API Summary: Library providing a simple virtualization API
Name: libvirt Name: libvirt
Version: 8.5.0 Version: 8.5.0
Release: 4%{?dist}%{?extra_release} Release: 5%{?dist}%{?extra_release}
License: LGPLv2+ License: LGPLv2+
URL: https://libvirt.org/ URL: https://libvirt.org/
@ -271,6 +271,7 @@ Patch28: libvirt-qemu_migration_params-Avoid-deadlock-in-qemuMigrationParamsRese
Patch29: libvirt-qemu-Restore-original-memory-locking-limit-on-reconnect.patch Patch29: libvirt-qemu-Restore-original-memory-locking-limit-on-reconnect.patch
Patch30: libvirt-qemu-Properly-release-job-in-qemuDomainSaveInternal.patch Patch30: libvirt-qemu-Properly-release-job-in-qemuDomainSaveInternal.patch
Patch31: libvirt-qemu-don-t-call-qemuMigrationSrcIsAllowedHostdev-from-qemuMigrationDstPrepareFresh.patch Patch31: libvirt-qemu-don-t-call-qemuMigrationSrcIsAllowedHostdev-from-qemuMigrationDstPrepareFresh.patch
Patch32: libvirt-rpc-Pass-OPENSSL_CONF-through-to-ssh-invocations.patch
Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon = %{version}-%{release}
@ -2177,6 +2178,9 @@ exit 0
%changelog %changelog
* Thu Aug 4 2022 Jiri Denemark <jdenemar@redhat.com> - 8.5.0-5
- rpc: Pass OPENSSL_CONF through to ssh invocations (rhbz#2112348)
* Fri Jul 29 2022 Jiri Denemark <jdenemar@redhat.com> - 8.5.0-4 * Fri Jul 29 2022 Jiri Denemark <jdenemar@redhat.com> - 8.5.0-4
- qemu: Pass migration flags to qemuMigrationParamsApply (rhbz#2111070) - qemu: Pass migration flags to qemuMigrationParamsApply (rhbz#2111070)
- qemu_migration_params: Replace qemuMigrationParamTypes array (rhbz#2111070) - qemu_migration_params: Replace qemuMigrationParamTypes array (rhbz#2111070)