[rest]: Fix RESTCONF basic auth — rsa-sha2 host keys and FIPS-safe SSH KEX#164
Open
Griffin-micas wants to merge 1 commit into
Open
Conversation
…H KEX RESTCONF basic auth (which dials the local sshd) is broken two ways: the pinned 2020 x/crypto has no rsa-sha2-256/512 host-key algorithms so it never matches OpenSSH ≥8.8, and once bumped the default curve25519 key exchange panics under FIPS (golang- fips rejects X25519), crashing the process. Bump x/crypto to v0.24.0 and pin the auth SSH client to FIPS-approved ECDH-P256/AES- GCM. Signed-off-by: Griffin Gao <griffin@micasnetworks.com>
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
Hi, there are workflow run(s) waiting for approval, you may be first-time contributor. I will notify maintainers to help approve once PR is approved. Thanks! ---Powered by SONiC BuildBot
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes sonic-net/sonic-buildimage#28142
RESTCONF basic auth (which dials the local sshd) is broken two ways: the pinned 2020 x/crypto has no rsa-sha2-256/512 host-key algorithms so it never matches OpenSSH ≥8.8, and once bumped the default curve25519 key exchange panics under FIPS (golang- fips rejects X25519), crashing the process. Bump x/crypto to v0.24.0 and pin the auth SSH client to FIPS-approved ECDH-P256/AES- GCM.
Why I did it
RESTCONF username/password (HTTP basic) authentication is broken. Basic auth is implemented by dialing the local sshd (
rest/server/pamAuth.godoesssh.Dial 127.0.0.1:22because the container has no access to the host's/etc/passwd//etc/shadow). Two problems stack on top of each other:1. No common host-key algorithm (all images with modern OpenSSH).
The pinned
golang.org/x/crypto(2020) advertises onlyssh-rsa/ssh-ed25519/ecdsa-*host-key algorithms. OpenSSH >= 8.8 no longer offersssh-rsa(SHA-1) and, with only an RSA host key present, offersrsa-sha2-512/rsa-sha2-256. There is no intersection, so the SSH handshake fails and every login returns 401, regardless of credentials:This is not FIPS-specific — it affects any image whose sshd is OpenSSH >= 8.8.
2. Key exchange panics under FIPS (
sonic_fips=1).Once the host-key issue is fixed and the handshake proceeds,
x/crypto/sshdefaults tocurve25519-sha256for key exchange. Under FIPS the golang-fips crypto layer rejects X25519 (the same policy that makes rest_server's own TLS refuse the X25519 curve), so the exchange panics inside the ssh handshake goroutine, whichnet/httpcannot recover — crashing the wholerest_serverprocess:Problem 2 is exposed by fixing problem 1, so both must ship together. golang-fips crashing (rather than returning an error) on an unsupported KEX is arguably an upstream bug — tracked in #; this PR avoids it by constraining the exchange.
How I did it
Two coupled changes:
a. Bump
golang.org/x/cryptoto v0.24.0 (go.mod/go.sum), which supports thersa-sha2-256/rsa-sha2-512host-key algorithms. v0.24.0 is deliberately chosen to match the existing SONiC-wide pin (sonic-gnmialready forcesx/crypto => v0.24.0via a replace directive), keeping the go-directive floor low for backport compatibility. Newer versions add nothing for this fix (rsa-sha2 support has been present since ~2021). Note: CVE-2024-45337 (x/crypto/ssh, fixed v0.31.0) concerns server-sideServerConfig.PublicKeyCallbackmisuse; this code is a client using password auth and does not use PublicKeyCallback, so it is not affected.b. Pin FIPS-approved KEX/cipher for the auth ssh client (
rest/server/pamAuth.go):This is a loopback connection to the local sshd, which always offers these NIST algorithms (P-256 ECDH is FIPS-mandatory), so restricting to them is safe on both FIPS and non-FIPS images and avoids the X25519 KEX entirely. AES-GCM is an AEAD, so no separate (potentially unsupported) MAC is negotiated; the RSA-SHA2 host key uses RSA verification, which symcrypt supports.
How to verify it
On a
sonic_fips=1image, with a correct admin password:curl: (56) SSL_read: unexpected eofanddocker logs mgmt-frameworkshowsexited: rest-server (exit status 2).200with the interface data. A wrong password returns a clean401, and the process no longer crashes (noexit status 2indocker logs).Protocol-level confirmation that the pinned algorithms handshake against the local FIPS sshd: