Getting "key_demote: error in libcrypto" error when using OpenSSH 7.6p1 with OpenSSL in FIPS mode

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello All

I posted this query on comp.security.ssh but haven't got any response
to it so far. I'd appreciate if I can get any help to resolve this
issue.

I have a CentOS 6 system that is running OpenSSH version 7.6p1 built
with OpenSSL 1.0.2o. The OpenSSL is built with FIPS module 2.0.16. I
have a python based pluggable authenticataion module configured using
pam_python 1.0.6 and Python 2.7.10.

When I use a ssh client to login to this system, the connection is
immediately closed by the system. This happens whether I login using
password or key.

Checking the /var/log/secure I see following error:

sshd[11255]: fatal: key_demote: error in libcrypto

Checking OpenSSH code I think this is happening when the server is
demoting private keys to public keys. The problem I have tracked down
is because of an import in the PAM python module which eventually
imports the python's _ssl module. A dummy PAM python module with just
this import reproduces the issue.

Here is the dummy PAM python module that I am using to repro the issue:

-----
#!/opt/bin/python

import _ssl

def pam_sm_authenticate(pamh, flags, argv):
    return pamh.PAM_SUCCESS

def pam_sm_setcred(pamh, flags, argv):
    return pamh.PAM_SUCCESS

def pam_sm_open_session(pamh, flags, argv):
    return pamh.PAM_SUCCESS

def pam_sm_close_session(pamh, flags, argv):
    return pamh.PAM_SUCCESS

def pam_sm_acct_mgmt(pamh, flags, argv):
    return pamh.PAM_SUCCESS

-----

Any help is very much appreciated in resolving or understanding this
issue. If there is any other information that may be helpful in
understanding this issue, please let me know.

Thanks
Arshad
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux