Skip to content

CMP-3916: Fix sshd_disable_gssapi_auth remediation for Kubernetes #14108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

CMP-3916: Fix sshd_disable_gssapi_auth remediation for Kubernetes #14108

wants to merge 3 commits into from
+31 −0

Conversation

@Vincent056
Copy link
Contributor

@Vincent056 Vincent056 commented Nov 8, 2025

Add shared Kubernetes configuration that disables GSSAPI authentication in SSHD by setting GSSAPIAuthentication to 'no' with higher priority. This is necessary because the default 50-redhat.conf file contains GSSAPIAuthentication set to 'yes', which must be overridden for compliance requirements.

sh-5.1# cd /etc/ssh/ssh_config.d/
sh-5.1# ls
50-redhat.conf
sh-5.1# cat 50-redhat.conf 
# The options here are in the "Match final block" to be applied as the last
# options and could be potentially overwritten by the user configuration
Match final all
        # Follow system-wide Crypto Policy, if defined:
        Include /etc/crypto-policies/back-ends/openssh.config

        GSSAPIAuthentication yes

# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
        ForwardX11Trusted yes

# Uncomment this if you want to use .local domain
# Host *.local
sh-5.1#

@Vincent056
CMP-3916: Fix sshd_disable_gssapi_auth remediation for Kubernetes
f6e9756 
Add shared Kubernetes configuration that disables GSSAPI authentication
in SSHD by setting GSSAPIAuthentication to 'no' with higher priority.
This is necessary because the default 50-redhat.conf file contains
GSSAPIAuthentication set to 'yes', which must be overridden for
compliance requirements.
@xiaojiey
Copy link
Collaborator

xiaojiey commented Nov 10, 2025

/test e2e-aws-openshift-node-compliance

@xiaojiey
Copy link
Collaborator

xiaojiey commented Nov 10, 2025

/retest-required

@xiaojiey
Copy link
Collaborator

xiaojiey commented Nov 10, 2025

The rule fail_sshd_disable_gssapi_auth still fail with the PR:

%  oc get cr upstream-rhcos4-e8-master-sshd-disable-gssapi-auth-1 -o=jsonpath={.spec.current.object.spec.config} | jq -r

{
  "ignition": {
    "version": "3.1.0"
  },
  "storage": {
    "files": [
      {
        "contents": {
          "source": "data:,GSSAPIAuthentication%20no"
        },
        "mode": 384,
        "overwrite": true,
        "path": "/etc/ssh/sshd_config.d/75-complianceascode-sshd_disable_gssapi_auth.conf"
      }
    ]
  }
}
% ./rerun.sh 
compliancescan.compliance.openshift.io/upstream-ocp4-e8 annotated
compliancescan.compliance.openshift.io/upstream-rhcos4-e8-master annotated
compliancescan.compliance.openshift.io/upstream-rhcos4-e8-worker annotated
% oc get scan -w
NAME                        PHASE   RESULT
upstream-ocp4-e8            DONE    NON-COMPLIANT
upstream-rhcos4-e8-master   DONE    NON-COMPLIANT
upstream-rhcos4-e8-worker   DONE    NON-COMPLIANT
^C%                                                                                                                                                                                                           % oc get ccr | grep sshd-disable-gssapi-auth                                                                               
upstream-rhcos4-e8-master-sshd-disable-gssapi-auth                   FAIL     medium
upstream-rhcos4-e8-worker-sshd-disable-gssapi-auth                   FAIL     medium
I: oscap: Opening file '/host/etc/ssh/sshd_config.d'.
I: oscap: Test 'oval:ssg-test_sshd_disable_gssapi_auth_config_dir:tst:1' requires that zero or more objects defined by 'oval:ssg-obj_sshd_disable_gssapi_auth_config_dir:obj:1' exist on the system.
I: oscap: 3 objects defined by 'oval:ssg-obj_sshd_disable_gssapi_auth_config_dir:obj:1' exist on the system.
I: oscap: All items matching object 'oval:ssg-obj_sshd_disable_gssapi_auth_config_dir:obj:1' were collected. (flag=complete)
I: oscap: In test 'oval:ssg-test_sshd_disable_gssapi_auth_config_dir:tst:1' all of the collected items must satisfy these states: 'oval:ssg-state_sshd_disable_gssapi_auth_config_dir:ste:1'.
I: oscap: Entity 'subexpression'='no' of item '10000334' matches corresponding entity in state 'oval:ssg-state_sshd_disable_gssapi_auth_config_dir:ste:1'.
I: oscap: Item '10000334' compared to state 'oval:ssg-state_sshd_disable_gssapi_auth_config_dir:ste:1' with result true.
I: oscap: Item '10000333' compared to state 'oval:ssg-state_sshd_disable_gssapi_auth_config_dir:ste:1' with result false.
I: oscap: Entity 'subexpression'='no' of item '10000335' matches corresponding entity in state 'oval:ssg-state_sshd_disable_gssapi_auth_config_dir:ste:1'.
I: oscap: Item '10000335' compared to state 'oval:ssg-state_sshd_disable_gssapi_auth_config_dir:ste:1' with result true.
I: oscap: Test 'oval:ssg-test_sshd_disable_gssapi_auth_config_dir:tst:1' evaluated as false.
I: oscap: Evaluating textfilecontent54 test 'oval:ssg-test_GSSAPIAuthentication_present_sshd_disable_gssapi_auth:tst:1': Verify that the value of GSSAPIAuthentication is present.
I: oscap: Querying textfilecontent54 object 'oval:ssg-obj_collection_obj_sshd_disable_gssapi_auth:obj:1', flags: 0.
I: oscap: Creating new syschar for textfilecontent54_object 'oval:ssg-obj_collection_obj_sshd_disable_gssapi_auth:obj:1'.
I: oscap: Switching probe to PROBE_OFFLINE_OWN mode.
I: oscap: Test 'oval:ssg-test_GSSAPIAuthentication_present_sshd_disable_gssapi_auth:tst:1' requires that at least one object defined by 'oval:ssg-obj_collection_obj_sshd_disable_gssapi_auth:obj:1' exists on the system.
I: oscap: 3 objects defined by 'oval:ssg-obj_collection_obj_sshd_disable_gssapi_auth:obj:1' exist on the system.
I: oscap: Test 'oval:ssg-test_GSSAPIAuthentication_present_sshd_disable_gssapi_auth:tst:1' does not contain any state to compare object with.
I: oscap: All items matching object 'oval:ssg-obj_collection_obj_sshd_disable_gssapi_auth:obj:1' were collected. (flag=complete)
I: oscap: Test 'oval:ssg-test_GSSAPIAuthentication_present_sshd_disable_gssapi_auth:tst:1' evaluated as true.
I: oscap: Definition 'oval:ssg-sshd_disable_gssapi_auth:def:1' evaluated as false.

rhmdnd
rhmdnd requested changes Nov 10, 2025
View reviewed changes
linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml Outdated
# disruption = low
{{{ kubernetes_sshd_set() }}}
---
{{{ kubernetes_sshd_dropin('GSSAPIAuthentication no', config_basename='75-complianceascode-sshd_disable_gssapi_auth.conf') }}}
Copy link
Collaborator

@rhmdnd rhmdnd Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we just want to make this change for all k8s remediations - https://github.com/ComplianceAsCode/content/blob/master/shared/templates/sshd_lineinfile/kubernetes.template#L11

Copy link
Collaborator

@rhmdnd rhmdnd Nov 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SSHD configuration is processed lexographically and uses the first found value:

Unless noted otherwise, for each keyword, the first obtained value will be used.

https://man.openbsd.org/sshd_config

This remediation will come after the 50-*.conf settings.

Copy link
Collaborator

@rhmdnd rhmdnd Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we keep this remediation in the distributed config so that it doesn't conflict with the 50-redhat.conf value, which sets this parameter to yes and the rule can't determine which one to use.

@Vincent056
Change the configuration basename for the GSSAPIAuthentication settin…
a397a93 
…g from '75-complianceascode-sshd_disable_gssapi_auth.conf' to '00-complianceascode-sshd_disable_gssapi_auth.conf' to ensure higher priority in SSHD settings for compliance requirements.
@xiaojiey
Copy link
Collaborator

xiaojiey commented Nov 11, 2025
edited
Loading

verification fail with a397a93:

  1. PASS for 4.12,
% oc get ccr | grep sshd-disable-gssapi-auth
upstream-rhcos4-e8-master-sshd-disable-gssapi-auth          PASS   medium
upstream-rhcos4-e8-worker-sshd-disable-gssapi-auth          PASS   medium
% oc debug node/ip-10-0-157-34.us-east-2.compute.internal -- chroot /host egrep -nr "GSSAPIAuthentication" /etc/ssh 2>/dev/null
/etc/ssh/ssh_config:25:#  GSSAPIAuthentication no
/etc/ssh/sshd_config:88:GSSAPIAuthentication no
/etc/ssh/ssh_config.d/05-redhat.conf:7:	GSSAPIAuthentication yes
  1. FAIL for 4.20:
% oc get ccr | grep sshd-disable-gssapi-auth
upstream-rhcos4-e8-master-sshd-disable-gssapi-auth                   FAIL     medium
upstream-rhcos4-e8-worker-sshd-disable-gssapi-auth                   FAIL     medium
% oc debug node/ip-10-0-21-31.us-east-2.compute.internal  -- chroot /host egrep -nr "GSSAPIAuthentication" /etc/ssh/sshd_config.d/ 2>/dev/null
/etc/ssh/sshd_config.d/50-redhat.conf:12:GSSAPIAuthentication yes
/etc/ssh/sshd_config.d/00-complianceascode-sshd_disable_gssapi_auth.conf:1:GSSAPIAuthentication no
#####in openscap logs:
I: oscap: 2 objects defined by 'oval:ssg-obj_sshd_disable_gssapi_auth_config_dir:obj:1' exist on the system.
I: oscap: All items matching object 'oval:ssg-obj_sshd_disable_gssapi_auth_config_dir:obj:1' were collected. (flag=complete)
I: oscap: In test 'oval:ssg-test_sshd_disable_gssapi_auth_config_dir:tst:1' all of the collected items must satisfy these states: 'oval:ssg-state_sshd_disable_gssapi_auth_config_dir:ste:1'.
I: oscap: Item '10000333' compared to state 'oval:ssg-state_sshd_disable_gssapi_auth_config_dir:ste:1' with result false.
I: oscap: Entity 'subexpression'='no' of item '10000334' matches corresponding entity in state 'oval:ssg-state_sshd_disable_gssapi_auth_config_dir:ste:1'.
I: oscap: Item '10000334' compared to state 'oval:ssg-state_sshd_disable_gssapi_auth_config_dir:ste:1' with result true.
I: oscap: Test 'oval:ssg-test_sshd_disable_gssapi_auth_config_dir:tst:1' evaluated as false.
I: oscap: Evaluating textfilecontent54 test 'oval:ssg-test_GSSAPIAuthentication_present_sshd_disable_gssapi_auth:tst:1': Verify that the value of GSSAPIAuthentication is present.
I: oscap: Querying textfilecontent54 object 'oval:ssg-obj_collection_obj_sshd_disable_gssapi_auth:obj:1', flags: 0.
I: oscap: Creating new syschar for textfilecontent54_object 'oval:ssg-obj_collection_obj_sshd_disable_gssapi_auth:obj:1'.
I: oscap: Switching probe to PROBE_OFFLINE_OWN mode.
I: oscap: Test 'oval:ssg-test_GSSAPIAuthentication_present_sshd_disable_gssapi_auth:tst:1' requires that at least one object defined by 'oval:ssg-obj_collection_obj_sshd_disable_gssapi_auth:obj:1' exists on the system.
I: oscap: 2 objects defined by 'oval:ssg-obj_collection_obj_sshd_disable_gssapi_auth:obj:1' exist on the system.
I: oscap: Test 'oval:ssg-test_GSSAPIAuthentication_present_sshd_disable_gssapi_auth:tst:1' does not contain any state to compare object with.
I: oscap: All items matching object 'oval:ssg-obj_collection_obj_sshd_disable_gssapi_auth:obj:1' were collected. (flag=complete)
I: oscap: Test 'oval:ssg-test_GSSAPIAuthentication_present_sshd_disable_gssapi_auth:tst:1' evaluated as true.
I: oscap: Definition 'oval:ssg-sshd_disable_gssapi_auth:def:1' evaluated as false.
Result^M        fail

rhmdnd
rhmdnd reviewed Nov 11, 2025
View reviewed changes
linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml Outdated
# disruption = low
{{{ kubernetes_sshd_set() }}}
---
{{{ kubernetes_sshd_dropin('GSSAPIAuthentication no', config_basename='00-complianceascode-sshd_disable_gssapi_auth.conf') }}}
Copy link
Collaborator

@rhmdnd rhmdnd Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we have to find a way to write this to the old configuration file (/etc/ssh/sshd_config) so that we don't end up with multiple values in the same directory. The rule doesn't know to use the 00-complianceascode-* value instead of the one in 50-redhat.conf.

Copy link
Collaborator

@rhmdnd rhmdnd Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we able to try something like this to see if it only sets the parameter once?

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml
index c89d87fc25..456fb7d063 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml
@@ -3,6 +3,6 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-{{{ kubernetes_sshd_set() }}}
+{{{ kubernetes_disable_sshd_config_option('GSSAPIAuthentication') }}}
 ---
-{{{ kubernetes_sshd_dropin('GSSAPIAuthentication no', config_basename='00-complianceascode-sshd_disable_gssapi_auth.conf') }}}
+{{{ kubernetes_disable_sshd_config_option_dropin('GSSAPIAuthentication') }}}
diff --git a/shared/macros/10-kubernetes.jinja b/shared/macros/10-kubernetes.jinja
index 15a7eea152..e66f7567b5 100644
--- a/shared/macros/10-kubernetes.jinja
+++ b/shared/macros/10-kubernetes.jinja
@@ -248,6 +248,29 @@ spec:
 {{{ kubernetes_machine_config_file(path='/etc/ssh/sshd_config.d/' + config_basename, file_permissions_mode='0600', source=sshd_dropin_content, ocp_version_range=ocp_version_range) }}}
 {{%- endmacro -%}}

+{{#
+  Disable SSH options in existing configuration files.
+
+  GSSAPI authentication is enabled by default in
+  `/etc/ssh/sshd_config.d/50-redhat.com`. Using a drop-in file for another
+  parameter in the same directory breaks the rule. Even if the drop-in file is
+  placed correctly, and disables the GSSAPI, the rule still detects that there
+  is a string in `/etc/ssh/sshd_config.d/50-redhat.conf` that has
+  `GSSAPIAuthentication yes`.
+
+  We need this specific macro so that we can override the setting in
+  `/etc/ssh/sshd_config.d/50-redhat.conf` on 4.13+ and `/etc/ssh/sshd_config` on
+  4.12.
+
+#}}
+{{%- macro kubernetes_disable_existing_sshd_config_option(parameter) -%}}
+{{{ kubernetes_machine_config_file(path='/etc/ssh/sshd_config', file_permissions_mode='0600', source=parameter + ' no' , ocp_version_range='<4.13.0') }}}
+{{%- endmacro -%}}
+
+{{%- macro kubernetes_disable_existing_sshd_config_dropin(parameter) -%}}
+{{{ kubernetes_machine_config_file(path='/etc/ssh/sshd_config.d/50-redhat.conf', file_permissions_mode='0600', source=parameter + ' no' , ocp_version_range='>=4.13.0') }}}
+{{%- endmacro -%}}
+

 {{% macro usbguard_config_source() %}}
 #

@Vincent056
Refactor SSHD GSSAPI authentication configuration for Kubernetes
850bb22 
Updated the shared Kubernetes configuration to disable GSSAPI authentication by introducing new macros. This change ensures compliance by overriding the default settings in `/etc/ssh/sshd_config.d/50-redhat.conf` and `/etc/ssh/sshd_config` for different OpenShift versions.
@openshift-ci
Copy link

openshift-ci bot commented Nov 11, 2025

@Vincent056: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 850bb22 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@xiaojiey
Copy link
Collaborator

xiaojiey commented Nov 12, 2025

Override the file /etc/ssh/sshd_config.d/50-redhat.conf might not be a good idea. There are several configurations in the file before auto-remediations applied; however, most of the configurations will disappear after auto remediation applied.
Before apply the remediation:

% oc debug node/ip-10-0-28-108.us-east-2.compute.internal -- chroot /host cat /etc/ssh/sshd_config.d/50-redhat.conf                           
Starting pod/ip-10-0-28-108us-east-2computeinternal-debug-8c4cd ...
To use host binaries, run `chroot /host`. Instead, if you need to access host namespaces, run `nsenter -a -t 1`.
# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect in
# this or following included files. To override some configuration option,
# write it before this block or include it before this file.
# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
Include /etc/crypto-policies/back-ends/opensshserver.config

SyslogFacility AUTHPRIV

ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no


Removing debug pod ...

After the remediation applied:

% oc debug node/ip-10-0-16-134.us-east-2.compute.internal -- chroot /host cat /etc/ssh/sshd_config.d/50-redhat.conf  
Starting pod/ip-10-0-16-134us-east-2computeinternal-debug-4m85f ...
To use host binaries, run `chroot /host`. Instead, if you need to access host namespaces, run `nsenter -a -t 1`.
GSSAPIAuthentication no
Removing debug pod ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhmdnd rhmdnd rhmdnd requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Vincent056 @xiaojiey @rhmdnd