From 8f8d3c879cf5cd9bbd153b68a5c600c9a3bef618 Mon Sep 17 00:00:00 2001 From: Jiri Denemark Date: Thu, 4 Aug 2022 18:05:01 +0200 Subject: [PATCH] libvirt-8.5.0-5.el9 - rpc: Pass OPENSSL_CONF through to ssh invocations (rhbz#2112348) Resolves: rhbz#2112348 --- ...NSSL_CONF-through-to-ssh-invocations.patch | 82 +++++++++++++++++++ libvirt.spec | 6 +- 2 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 libvirt-rpc-Pass-OPENSSL_CONF-through-to-ssh-invocations.patch diff --git a/libvirt-rpc-Pass-OPENSSL_CONF-through-to-ssh-invocations.patch b/libvirt-rpc-Pass-OPENSSL_CONF-through-to-ssh-invocations.patch new file mode 100644 index 0000000..f70a508 --- /dev/null +++ b/libvirt-rpc-Pass-OPENSSL_CONF-through-to-ssh-invocations.patch @@ -0,0 +1,82 @@ +From c6ea67c481a2f447951449bd9b2746cfaaf385fd Mon Sep 17 00:00:00 2001 +Message-Id: +From: "Richard W.M. Jones" +Date: Mon, 25 Jul 2022 14:09:39 +0100 +Subject: [PATCH] rpc: Pass OPENSSL_CONF through to ssh invocations + +It's no longer possible for libvirt to connect over the ssh transport +from RHEL 9 to RHEL 5. This is because SHA1 signatures have been +effectively banned in RHEL 9 at the openssl level. They are required +to check the RHEL 5 host key. Note this is a separate issue from +openssh requiring additional configuration in order to connect to +older servers. + +Connecting from a RHEL 9 client to RHEL 5 server: + +$ cat ~/.ssh/config +Host 192.168.0.91 + KexAlgorithms +diffie-hellman-group14-sha1 + MACs +hmac-sha1 + HostKeyAlgorithms +ssh-rsa + PubkeyAcceptedKeyTypes +ssh-rsa + PubkeyAcceptedAlgorithms +ssh-rsa + +$ virsh -c 'qemu+ssh://root@192.168.0.91/system' list +error: failed to connect to the hypervisor +error: Cannot recv data: ssh_dispatch_run_fatal: Connection to 192.168.0.91 port 22: error in libcrypto: Connection reset by peer + +"error in libcrypto: Connection reset by peer" is the characteristic +error of openssl having been modified to disable SHA1 by default. +(You will not see this on non-RHEL-derived distros.) + +You could enable the legacy crypto policy which downgrades security on +the entire host, but a more fine-grained way to do this is to create +an alternate openssl configuration file that enables the "forbidden" +signatures. However this requires passing the OPENSSL_CONF +environment variable through to ssh to specify the alternate +configuration. Libvirt filters out this environment variable, but +this commit allows it through. With this commit: + +$ cat /var/tmp/openssl.cnf +.include /etc/ssl/openssl.cnf +[openssl_init] +alg_section = evp_properties +[evp_properties] +rh-allow-sha1-signatures = yes + +$ OPENSSL_CONF=/var/tmp/openssl.cnf ./run virsh -c 'qemu+ssh://root@192.168.0.91/system' list +root@192.168.0.91's password: + Id Name State +-------------------- + +Essentially my argument here is that OPENSSL_CONF is sufficiently +similar in nature to KRB5CCNAME, SSH* and XAUTHORITY that we should +permit it to be passed through. + +virt-v2v bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062360 +Signed-off-by: Richard W.M. Jones +Acked-by: Laszlo Ersek +Reviewed-by: Michal Privoznik + +(cherry picked from commit 45912ac399abd9d4eba21fa3f15cb7587351f959) +Libvirt BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2112348 +Signed-off-by: Michal Privoznik +--- + src/rpc/virnetsocket.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c +index 32f506d2d4..8280bda007 100644 +--- a/src/rpc/virnetsocket.c ++++ b/src/rpc/virnetsocket.c +@@ -855,6 +855,7 @@ int virNetSocketNewConnectSSH(const char *nodename, + virCommandAddEnvPass(cmd, "KRB5CCNAME"); + virCommandAddEnvPass(cmd, "SSH_AUTH_SOCK"); + virCommandAddEnvPass(cmd, "SSH_ASKPASS"); ++ virCommandAddEnvPass(cmd, "OPENSSL_CONF"); + virCommandAddEnvPass(cmd, "DISPLAY"); + virCommandAddEnvPass(cmd, "XAUTHORITY"); + virCommandClearCaps(cmd); +-- +2.35.1 + diff --git a/libvirt.spec b/libvirt.spec index baad87c..898e949 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -231,7 +231,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 8.5.0 -Release: 4%{?dist}%{?extra_release} +Release: 5%{?dist}%{?extra_release} License: LGPLv2+ URL: https://libvirt.org/ @@ -271,6 +271,7 @@ Patch28: libvirt-qemu_migration_params-Avoid-deadlock-in-qemuMigrationParamsRese Patch29: libvirt-qemu-Restore-original-memory-locking-limit-on-reconnect.patch Patch30: libvirt-qemu-Properly-release-job-in-qemuDomainSaveInternal.patch Patch31: libvirt-qemu-don-t-call-qemuMigrationSrcIsAllowedHostdev-from-qemuMigrationDstPrepareFresh.patch +Patch32: libvirt-rpc-Pass-OPENSSL_CONF-through-to-ssh-invocations.patch Requires: libvirt-daemon = %{version}-%{release} @@ -2177,6 +2178,9 @@ exit 0 %changelog +* Thu Aug 4 2022 Jiri Denemark - 8.5.0-5 +- rpc: Pass OPENSSL_CONF through to ssh invocations (rhbz#2112348) + * Fri Jul 29 2022 Jiri Denemark - 8.5.0-4 - qemu: Pass migration flags to qemuMigrationParamsApply (rhbz#2111070) - qemu_migration_params: Replace qemuMigrationParamTypes array (rhbz#2111070)