Skip to content

CMP-3978: Incorporate SSH version into obsolete parameter rules #14189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rhmdnd wants to merge 2 commits into
base: master
Choose a base branch
from
Open

CMP-3978: Incorporate SSH version into obsolete parameter rules #14189

rhmdnd wants to merge 2 commits into from
+6 −0

Conversation

@rhmdnd
Copy link
Collaborator

@rhmdnd rhmdnd commented Nov 26, 2025

  • Add parameter for obsolete sshd configuration options
  • Only check ssh protocol if openssh < 7.0
  • Only check UsePrivilegeSeparation if openssh < 7.5

rhmdnd
rhmdnd commented Nov 26, 2025
View reviewed changes
@rhmdnd rhmdnd changed the title CMP 3978 CMP-3978: Incorporate SSH version into obsolete parameter rules Nov 26, 2025
@evgenyz
Copy link
Member

evgenyz commented Nov 27, 2025
edited
Loading

Why not just platform: package[openssh-server]<7.0?

@evgenyz
Copy link
Member

evgenyz commented Nov 27, 2025

See: linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml

@jan-cerny jan-cerny added the OpenShift OpenShift product related. label Nov 28, 2025
@jan-cerny jan-cerny added this to the 0.1.80 milestone Nov 28, 2025
@Mab879
Copy link
Member

Mab879 commented Dec 3, 2025
edited
Loading

You will need add the package to shared/applicability/package.yml

rhmdnd added 2 commits December 3, 2025 13:42
@rhmdnd
Only check ssh protocol if openssh < 7.0
271bac9 
OpenSSH made the `Protocol` option obsolete in version 7.0. Even if you
try to specify it, it's not going to use the version you set for
security reasons:

  Potentially-incompatible Changes
  --------------------------------

   * Support for the legacy SSH version 1 protocol is disabled by
     default at compile time.

See the release notes for version 7.0 for more details.

https://www.openssh.org/releasenotes.html
@rhmdnd
Only check UsePrivilegeSeparation if openssh < 7.5
2c0f9b1 
OpenSSH hardcoded the `UsePrivilegeSeparation` option to `sandbox` in
7.5:

  Potentially-incompatible changes
  ================================

  This release includes a number of changes that may affect existing
  configurations:

   * This release deprecates the sshd_config UsePrivilegeSeparation
     option, thereby making privilege separation mandatory. Privilege
     separation has been on by default for almost 15 years and
     sandboxing has been on by default for almost the last five.

https://www.openssh.org/releasenotes.html

Let's only check it if the ssh version is applicable.
@Mab879 Mab879 self-assigned this Dec 17, 2025
@Mab879
Copy link
Member

Mab879 commented Dec 19, 2025

I will leave this open for now so ya'll can testing on this if needed.

@xiaojiey
Copy link
Collaborator

xiaojiey commented Dec 22, 2025

/retest

@openshift-ci
Copy link

openshift-ci bot commented Dec 22, 2025

@rhmdnd: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 2c0f9b1 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@xiaojiey
Copy link
Collaborator

xiaojiey commented Dec 24, 2025

verification pass:

  1. on a 4.21 rhcos9 based cluster and openssh-server-8.7p1-45:
$ oc  debug node/ip-10-0-20-230.us-east-2.compute.internal -- chroot /host rpm -q openssh-server
Starting pod/ip-10-0-20-230us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
openssh-server-8.7p1-45.el9.x86_64
Removing debug pod ...
$ cat ~/func/tailored-profile-ssh-rules_new.yaml 
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  annotations:
    compliance.openshift.io/product-type: Node
  name: ssh-rules-test-new
  namespace: openshift-compliance
spec:
  description: "TailoredProfile to test specific SSH rules"
  title: "SSH Rules Test Profile"
  enableRules:
    - name: upstream-rhcos4-sshd-allow-only-protocol2
      rationale: "Test SSH protocol 2 enforcement"
    - name: upstream-rhcos4-sshd-disable-rhosts-rsa
      rationale: "Test RhostsRSA disabled"
    - name: upstream-rhcos4-sshd-use-priv-separation
      rationale: "Test privilege separation enabled"
$ cat ~/func/tailored-profile-ssh-rules_old.yaml 
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  annotations:
    compliance.openshift.io/product-type: Node
  name: ssh-rules-test-old
  namespace: openshift-compliance
spec:
  description: "TailoredProfile to test specific SSH rules"
  title: "SSH Rules Test Profile"
  enableRules:
    - name: rhcos4-sshd-allow-only-protocol2
      rationale: "Test SSH protocol 2 enforcement"
    - name: rhcos4-sshd-disable-rhosts-rsa
      rationale: "Test RhostsRSA disabled"
    - name: rhcos4-sshd-use-priv-separation
      rationale: "Test privilege separation enabled"
$ oc-compliance bind -N test -S default-auto-apply tailoredprofile/ssh-rules-test-new tailoredprofile/ssh-rules-test-old
Creating ScanSettingBinding test
xiyuan@xiyuan-thinkpadp1gen7:~/isc/content$ cat ~/func/tailored-profile-ssh-rules_old.yaml 
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  annotations:
    compliance.openshift.io/product-type: Node
  name: ssh-rules-test-old
  namespace: openshift-compliance
spec:
  description: "TailoredProfile to test specific SSH rules"
  title: "SSH Rules Test Profile"
  enableRules:
    - name: rhcos4-sshd-allow-only-protocol2
      rationale: "Test SSH protocol 2 enforcement"
    - name: rhcos4-sshd-disable-rhosts-rsa
      rationale: "Test RhostsRSA disabled"
    - name: rhcos4-sshd-use-priv-separation
      rationale: "Test privilege separation enabled"
$ oc-compliance bind -N test -S default-auto-apply tailoredprofile/ssh-rules-test-new tailoredprofile/ssh-rules-test-old
Creating ScanSettingBinding test
$ oc get suite
test   DONE          NON-COMPLIANT
$ oc get cr
NAME                                                    STATE
ssh-rules-test-new-master-sshd-disable-rhosts-rsa-1     Applied
ssh-rules-test-new-worker-sshd-disable-rhosts-rsa-1     Applied
ssh-rules-test-old-master-sshd-allow-only-protocol2-1   Applied
ssh-rules-test-old-master-sshd-disable-rhosts-rsa-1     Applied
ssh-rules-test-old-master-sshd-use-priv-separation-1    Applied
ssh-rules-test-old-worker-sshd-allow-only-protocol2-1   Applied
ssh-rules-test-old-worker-sshd-disable-rhosts-rsa-1     Applied
ssh-rules-test-old-worker-sshd-use-priv-separation-1    Applied
$ oc-compliance rerun-now scansettingbinding test
Rerunning scans from 'test': ssh-rules-test-new-master, ssh-rules-test-new-worker, ssh-rules-test-old-master, ssh-rules-test-old-worker
Re-running scan 'openshift-compliance/ssh-rules-test-new-master'
Re-running scan 'openshift-compliance/ssh-rules-test-new-worker'
Re-running scan 'openshift-compliance/ssh-rules-test-old-master'
Re-running scan 'openshift-compliance/ssh-rules-test-old-worker'
###The other two rules didn't show because the openssh-server version > 7.5
$ oc  get ccr
NAME                                                  STATUS   SEVERITY
ssh-rules-test-new-master-sshd-disable-rhosts-rsa     PASS     medium
ssh-rules-test-new-worker-sshd-disable-rhosts-rsa     PASS     medium
ssh-rules-test-old-master-sshd-allow-only-protocol2   FAIL     high
ssh-rules-test-old-master-sshd-disable-rhosts-rsa     FAIL     medium
ssh-rules-test-old-master-sshd-use-priv-separation    FAIL     medium
ssh-rules-test-old-worker-sshd-allow-only-protocol2   FAIL     high
ssh-rules-test-old-worker-sshd-disable-rhosts-rsa     FAIL     medium
ssh-rules-test-old-worker-sshd-use-priv-separation    FAIL     medium

  1. On 4.21 RHCOS10 based cluster, the verification blocked by bug https://issues.redhat.com/browse/CMP-4034

  2. Also tested on a 4.14 cluster, and get the same test result with 4.21.

@xiaojiey
Copy link
Collaborator

xiaojiey commented Dec 24, 2025

/lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek

@evgenyz evgenyz Awaiting requested review from evgenyz

@yuumasato yuumasato Awaiting requested review from yuumasato

@xiaojiey xiaojiey Awaiting requested review from xiaojiey

@Anna-Koudelkova Anna-Koudelkova Awaiting requested review from Anna-Koudelkova

Assignees

@Mab879 Mab879

Labels

OpenShift OpenShift product related.

Projects

None yet

Milestone

0.1.80

Development

Successfully merging this pull request may close these issues.

5 participants

@rhmdnd @evgenyz @Mab879 @xiaojiey @jan-cerny