WIP: packaging: setup: remote_engine: Fix for FIPS

In fips mode, we fail with: File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132, in _executeMethod method['method']() File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine-dwh/core/remote_engine.py", line 83, in _remote_engine_customization oenginecons.ConfigEnv.ENGINE_FQDN File "/usr/share/ovirt-engine/setup/ovirt_engine_setup/remote_engine.py", line 146, in configure self._style.configure(fqdn=fqdn) File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-common/base/remote_engine/remote_engine_root_ssh.py", line 177, in configure self._ssh_connect() File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-common/base/remote_engine/remote_engine_root_ssh.py", line 153, in _ssh_connect osetupcons.ConfigEnv.REMOTE_ENGINE_HOST_CLIENT_KEY File "/usr/lib/python3.6/site-packages/paramiko/client.py", line 416, in connect self, server_hostkey_name, server_key File "/usr/lib/python3.6/site-packages/paramiko/client.py", line 837, in missing_host_key key.get_name(), hostname, hexlify(key.get_fingerprint()) File "/usr/lib/python3.6/site-packages/paramiko/pkey.py", line 180, in get_fingerprint return md5(self.asbytes()).digest() This is because we use paramiko.WarningPolicy, which uses get_fingerprint to show the missing key, which uses hashlib.md5 [1], which is disabled in fips mode. Create our own policy instead, that does not show the key. Please note that this isn't a complete fix for [1] - e.g. if you have any keys in normal locations, such as ~/.ssh/id_rsa, paramiko will fail later, when mentioning that it's going to try loading them. [1] paramiko/paramiko#1103 Change-Id: I99a934ceefc707cdff127229d1bebf196aac4140 Signed-off-by: Yedidyah Bar David <didi@redhat.com>
oVirt · Sep 20, 2022 · 37e63e6 · 37e63e6
1 parent be1087d
commit 37e63e6
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/packaging/setup/plugins/ovirt-engine-common/base/remote_engine/remote_engine_root_ssh.py b/packaging/setup/plugins/ovirt-engine-common/base/remote_engine/remote_engine_root_ssh.py
@@ -107,6 +107,15 @@ def _ssh_get_port(self):
 
         def _ssh_connect(self):
             import paramiko
+
+            logger = self.logger
+
+            class my_missing_key_policy(paramiko.MissingHostKeyPolicy):
+                def missing_host_key(self, client, hostname, key):
+                    logger.warn(
+                        f'Unknown {key.get_name()} host key for {hostname}'
+                    )
+
             connected = False
             interactive = False
             password = self.environment[
@@ -130,9 +139,7 @@ def _ssh_connect(self):
                             default='',
                         )
                     client = paramiko.SSHClient()
-                    client.set_missing_host_key_policy(
-                        paramiko.WarningPolicy()
-                    )
+                    client.set_missing_host_key_policy(my_missing_key_policy)
                     # TODO Currently the warning goes only to the log file.
                     # We should probably write our own policy with a custom
                     # exception so that we can catch it below and verify with