fedora33: update-crypto-policies --set LEGACY

[hswong3i]

Upstream SSH has been claiming for a few releases now that:

It is now possible to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.

Also see:

• https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2#Upgrade.2Fcompatibility_impact
• https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/b298a9e1#49303b123e8d502a8711bccf3ba657fd55abe97c
• openssh deprecates ssh-rsa key type: maybe update vagrant insecure key hashicorp/vagrant#11783 (comment)
• deprecation/removal of ssh-rsa from PubKeyAcceptedTypes hashicorp/packer#10074
• Update Fedora to 33 beta containers/automation_images#26 (comment)

[hswong3i]

@ladar The current implementation (https://github.com/lavabit/robox/pull/173/files#diff-f910de6f4744660a002d304cbe816512bf93f5c5c848581bf062adf2e47c6063R40-R42) should be logically correct:

diff --git a/scripts/fedora33/vagrant.sh b/scripts/fedora33/vagrant.sh
index d320b35..67cd67f 100644
--- a/scripts/fedora33/vagrant.sh
+++ b/scripts/fedora33/vagrant.sh
@@ -36,3 +36,7 @@ chown -R vagrant:vagrant /home/vagrant/.ssh
 
 # Mark the vagrant box build time.
 date --utc > /etc/vagrant_box_build_time
+
+# Ensures maximum compatibility with legacy systems (64-bit security).
+# https://github.com/hashicorp/vagrant/issues/11783#issuecomment-702100872
+update-crypto-policies --set LEGACY

Though out the entire packer provisioners stage, I could confirm that update-crypto-policies --show is LEGACY.

BTW, after post-processors stage completed and manually vagrant box add the result image, vagrant up still get stuck.

If I manually login though virt console and execute update-crypto-policies --show it resumed as DEFAULT (!!).

Now if execute update-crypto-policies --set LEGACY again, the stuck vagrant up now continuous and complete without error (!?). Moreover, vagrant ssh now working fine, too.

As I am using vagrant-libvirt with virt-sysprep available (i.e. libguestfs-tools installed under Ubuntu 20.04), I guess that maybe resumed by virt-sysprep during vagrant package being called by vagrant post-processors?

UPDATE: no, it shouldn't related to virt-sysprep nor libguestfs-tools, issue still happening even binary/package already removed. Somehow it should be re-initialized during first startup...

[hswong3i]

Even downgrade from packer 1.6.2 to 1.4.5, the update-crypto-policies --set LEGACY still couldn't persist after vagrant package stage, and always rollback as DEFAULT during vagrant up... Sorry I have no more idea about how to fixing this :-(

[hswong3i]

@ladar Oh you already mery this PR ^_^||

BTW, from hashicorp/vagrant#11783 (comment) which goes to https://pagure.io/fedora-kickstarts/pull-request/669#request_diff from official Fedora Vagrant image, the change should be something like:

cat > /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf <<EOF
# For now the vagrant insecure key is an rsa key
# https://github.com/hashicorp/vagrant/issues/11783
PubkeyAcceptedKeyTypes=+ssh-rsa
EOF

[ladar]

@hswong3i I like this new method a lot more. I updated the vagrant.sh module accordingly. The 3.1.2 release is almost finished, but this change should be reflected in the 3.1.4 build.

[hswong3i]

@ladar OMG!!! So this two lines (1526688#diff-f910de6f4744660a002d304cbe816512bf93f5c5c848581bf062adf2e47c6063R46-R47) are the tricks for keeping the file exists after provisioning!? I had been trying out for more than 2 days but just missing this two lines O_o!?

chcon system_u:object_r:etc_t:s0 /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf
chmod 600 /etc/ssh/sshd_config.d/10-vagrant-insecure-rsa-key.conf

EDIT: Oh I get it!! So its the SELinux getting me into the trobule, AGAIN!! But why Fedora official vagrant box (https://pagure.io/fedora-kickstarts/blob/master/f/fedora-cloud-base.ks#_29) didn't affected!?

selinux --enforcing

[ladar]

@hswong3i SElinux is enabled in our version as well. You can confirm by running sestatus ...

[hswong3i]

@ladar just try vagrant init generic/fedora33 --box-version 3.1.0 then vagrant up --provider libvirt but still failed due to 8f0d1f5 implementation.

Most likely we need your updated version with 1526688 in order to get rid of SELinux related issue ;-)

[ladar]

@hswong3i yes, the issue wasn't fixed in 3.1.0 ... I think the update-crypto-policies fix made it into 3.1.2 which just started uploading... so it should release in the next couple of days (uploads take awhile because of cloud limits).

Either way, I'm starting the 3.1.4 build now, which will include the SSH config fix. That version should be done building by Monday, and should release next week, assuming there aren't too many box build failures.