SSH authentication fails on RHEL 9.7 FIPS after 10.2 upgrade

XMLWordPrintable

    • Severity 2 - Major

      Issue Summary

      After upgrade to Bitbucket 10.2, clients doing SSH authentication for git operations see failure. The server logs an error (listed below).

      This affects RHEL servers with FIPS mode enabled.

      When the cipher negotiated for SSH is aes256-gcm@openssh.com, the server logs the error and the client's connection closes.

      Steps to Reproduce

      1. Perform a Git operation with the aes256-gcm cipher  
        GIT_SSH_COMMAND="ssh -c aes256-gcm@openssh.com -vvv" git clone ssh://.....
      1. The operation fails. The server logs error at DEBUG level

      Expected Results

      The Git operation should succeed.

      Actual Results

      The below exception is thrown in the log file:

      DEBUG [sshd-DrainableSshServer[<redacted>] o.a.s.c.s.h.SessionTimeoutListener sessionException(ServerSessionImpl[<redacted>]) NoSuchAlgorithmException: No such algorithm: AES/GCM/NoPadding

or

DEBUG [sshd-DrainableSshServer[<redacted>] o.a.s.c.s.h.SessionTimeoutListener sessionException(ServerSessionImpl[<redacted>]) NoSuchAlgorithmException: no such algorithm: HmacSHA256 for provider SunJCE

      Workaround

      Add this to Bitbucket's startup script, then restart:

      JVM_SUPPORT_RECOMMENDED_ARGS=-Dorg.apache.sshd.security.provider.SunJCEWrapper.enabled=false

              Assignee:
              Tom Daffurn
              Reporter:
              Tom Daffurn
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: