Pivotal Knowledge Base

Follow

Gpssh-exkeys and gpseginstall fail when installing on RHEL 7.4 with FIPS enabled

Environment

  • Greenplum DB 5.0 (other versions potentially affected)
  • Red Hat Enterprise Linux 7.4
  • FIPS mode enabled 
  • Older SSH key exchange algorithms (sha-1) disabled 

Symptom

When attempting to use the tools `gpssh-exkeys` or `gpseginstall`, the key exchange fails with the following error and repeatedly requests a password:

Incompatible ssh peer (no acceptable kex algorithm)

Error Message:

[root@master ~]# gpssh-exkeys -f hostfile_exkeys
[STEP 1 of 5] create local ID and authorize on local host
  ... /root/.ssh/id_rsa file exists ... key generation skipped

[STEP 2 of 5] keyscan all hosts and update known_hosts file

[STEP 3 of 5] authorize current user on remote hosts
  ... send to node1
  ***
  *** Enter password for node1:
[ERROR node1] Incompatible ssh peer (no acceptable kex algorithm)
  ***
  *** Enter password for node1:

Cause 

Currently, the Greenplum management tool suite uses an older version of the Python Paramiko libraries which do not support newer ssh key exchange algorithms. When the older key exchange algorithms are disabled on a server that is FIPS complaint, the key exchange mediated by the Greenplum tools will fail. 

Resolution

A Defect has been opened for this issue. Please contact Pivotal Support if you have questions or concerns.

As the keys only need to be shared once, and as the gpseginstall tool and gpssh-exkeys will skip any previously shared keys, a workaround is as follows:

1. With FIPS enabled, use ssh-copy-id to copy SSH keys which have been generated using ssh-genkey

2. Disable FIPS, or add the following kex algorithms to /etc/ssh/sshd_config and reload sshd:

KexAlgorithms=+diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1

3. Complete the installation of gpdb using gpseginstall

4. At this point, the keys are already exchanged, and they will not need to be exchanged again unless you add another Node to the cluster.

5. Thus, you can re-enable FIPS to be fully compliant by removing the additional kex algorithms in /etc/ssh/sshd_config - the SSH keys which do not require password authentication are in place, and the kex algorithm is no longer relevant, as keys do not need to be re-shared.

Comments

Powered by Zendesk