Is Debian OS FIPS certified? Does it support FIPS Validated Cryptographic Modules? What I noticed is that FIPS mode can be enabled with the tool fips-mode-setup . This tool is developed and can be used for other Linux distributions (SUSE, Oracle Linux, Red Hat, Ubuntu), in case the user wants to enable FIPS mode afterward (not part of OS). Does that mean that Debian can be configured to use FIPS Validated Cryptographic Modules?

Lubuntu version: 20.04 I am trying to ssh to a cluster using fab but it returns an error. I am adding a screenshot showing the traceback . I am not able to install cryptography through terminal by using

sudo apt-get install crytography

It returns the following message

unable to locate the package file

Thanks for taking the time and having a look, I recently ELevated (AlmaLinux project ELevate) 3 servers from AlmaLinux 8 to AlmaLinux 9 (2 years back these same servers were Elevated from CentOS 7 to AlmaLinux 8). The upgrade workt flawlessly and after the upgrade I just had to reinstall 1 package, Zabbix-Agent2. I could access the services running on those servers, websites were perfectly accessable, via SSH I could access the system with no issues. even the ansibleuser could be used for a keypair ssh authentication with no trouble. But when I use ansible to run a playbook on these servers that worked Always in the past and still work on all our other Ubuntu and AlmaLinux Machines, I get the following errors on the 3 machines in question:

[ /etc/ansible ]$ ansible-playbook playbooks/update-linux.yml -C -l ClamAV -vvv
ansible-playbook [core 2.14.14]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ansibleuser/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /home/ansibleuser/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible-playbook
  python version = 3.9.18 (main, Aug 23 2024, 00:00:00) [GCC 11.4.1 20231218 (Red Hat 11.4.1-3)] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True
Using /etc/ansible/ansible.cfg as config file
BECOME password: 

Vault password: 
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with yaml plugin
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: update-linux.yml *******************************************************************************************************************************
2 plays in playbooks/update-linux.yml

PLAY [landauer] ******************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************
task path: /etc/ansible/playbooks/update-linux.yml:2
 ESTABLISH SSH CONNECTION FOR USER: ansibleuser
 SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansibleuser"' -o ConnectTimeout=5 -o 'ControlPath="/home/ansibleuser/.ansible/cp/267bb41463"' 10.1.1.22 '/bin/sh -c '"'"'echo ~ansibleuser && sleep 0'"'"''
 (0, b'/home/ansibleuser\n', b'')
 ESTABLISH SSH CONNECTION FOR USER: ansibleuser
 SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansibleuser"' -o ConnectTimeout=5 -o 'ControlPath="/home/ansibleuser/.ansible/cp/267bb41463"' 10.1.1.22 '/bin/sh -c '"'"'( umask 77 && mkdir -p " echo /home/ansibleuser/.ansible/tmp "&& mkdir " echo /home/ansibleuser/.ansible/tmp/ansible-tmp-1728362452.3175566-4768-111779545868462 " && echo ansible-tmp-1728362452.3175566-4768-111779545868462=" echo /home/ansibleuser/.ansible/tmp/ansible-tmp-1728362452.3175566-4768-111779545868462 " ) && sleep 0'"'"''
 (0, b'ansible-tmp-1728362452.3175566-4768-111779545868462=/home/ansibleuser/.ansible/tmp/ansible-tmp-1728362452.3175566-4768-111779545868462\n', b'')
 Attempting python interpreter discovery
 ESTABLISH SSH CONNECTION FOR USER: ansibleuser
 SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansibleuser"' -o ConnectTimeout=5 -o 'ControlPath="/home/ansibleuser/.ansible/cp/267bb41463"' 10.1.1.22 '/bin/sh -c '"'"'echo PLATFORM; uname; echo FOUND; command -v '"'"'"'"'"'"'"'"'python3.11'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.10'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.9'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.8'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.6'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.5'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/bin/python3'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/libexec/platform-python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python2.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/bin/python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python'"'"'"'"'"'"'"'"'; echo ENDFOUND && sleep 0'"'"''
 (0, b'PLATFORM\nLinux\nFOUND\n/usr/bin/python3.9\n/usr/bin/python3\n/usr/libexec/platform-python\n/usr/bin/python\n/usr/bin/python\nENDFOUND\n', b'')
 ESTABLISH SSH CONNECTION FOR USER: ansibleuser
 SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansibleuser"' -o ConnectTimeout=5 -o 'ControlPath="/home/ansibleuser/.ansible/cp/267bb41463"' 10.1.1.22 '/bin/sh -c '"'"'/usr/bin/python3.9 && sleep 0'"'"''
 (0, b'{"platform_dist_result": [], "osrelease_content": "NAME=\\"AlmaLinux\\"\\nVERSION=\\"9.4 (Seafoam Ocelot)\\"\\nID=\\"almalinux\\"\\nID_LIKE=\\"rhel centos fedora\\"\\nVERSION_ID=\\"9.4\\"\\nPLATFORM_ID=\\"platform:el9\\"\\nPRETTY_NAME=\\"AlmaLinux 9.4 (Seafoam Ocelot)\\"\\nANSI_COLOR=\\"0;34\\"\\nLOGO=\\"fedora-logo-icon\\"\\nCPE_NAME=\\"cpe:/o:almalinux:almalinux:9::baseos\\"\\nHOME_URL=\\"https://almalinux.org/\\ "\\nDOCUMENTATION_URL=\\"https://wiki.almalinux.org/\\ "\\nBUG_REPORT_URL=\\"https://bugs.almalinux.org/\\ "\\n\\nALMALINUX_MANTISBT_PROJECT=\\"AlmaLinux-9\\"\\nALMALINUX_MANTISBT_PROJECT_VERSION=\\"9.4\\"\\nREDHAT_SUPPORT_PRODUCT=\\"AlmaLinux\\"\\nREDHAT_SUPPORT_PRODUCT_VERSION=\\"9.4\\"\\nSUPPORT_END=2032-06-01\\n"}\n', b'')
Using module file /usr/lib/python3.9/site-packages/ansible/modules/setup.py
 PUT /home/ansibleuser/.ansible/tmp/ansible-local-47643ehs1jje/tmprhb1042q TO /home/ansibleuser/.ansible/tmp/ansible-tmp-1728362452.3175566-4768-111779545868462/AnsiballZ_setup.py
 SSH: EXEC scp -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansibleuser"' -o ConnectTimeout=5 -o 'ControlPath="/home/ansibleuser/.ansible/cp/267bb41463"' /home/ansibleuser/.ansible/tmp/ansible-local-47643ehs1jje/tmprhb1042q '[10.1.1.22]:/home/ansibleuser/.ansible/tmp/ansible-tmp-1728362452.3175566-4768-111779545868462/AnsiballZ_setup.py'
 ESTABLISH SSH CONNECTION FOR USER: ansibleuser
 SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansibleuser"' -o ConnectTimeout=5 -o 'ControlPath="/home/ansibleuser/.ansible/cp/267bb41463"' 10.1.1.22 '/bin/sh -c '"'"'rm -f -r /home/ansibleuser/.ansible/tmp/ansible-tmp-1728362452.3175566-4768-111779545868462/ > /dev/null 2>&1 && sleep 0'"'"''
 (0, b'', b'')
fatal: [ClamAV]: UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via scp: Connection closed\r\n",
    "unreachable": true
}

In the Example I used the ClamAV server, but on 2 other servers I have the same issue. The Other AlmaLinux machines in our setup and installed from scratch with AlmaLinux9 and the playbook works fine. I Also noticed when running DNF it gives me 1 warning: warning: Signature not supported. Hash algorithm SHA1 not available. I already found an article about this on redHat explaining that with the command: "update-crypto-policies --set FUTURE" I could set the server to the newer SHA256/512 crypto policy. But then I loose ALL possible communications to that server except HTTP(s) and fysical console (via vCenter). I think it must be something related to this, Or I need to regenerate something. But is there someone who already found a solution/thread to help me solve the issue? I have 2 more servers to do that are a bit more company critical, so don't want these to suffer too long with this issue. Thanks a lot already for any help.

I am on an RHEL 7.5 and I would like to disable weak crypto algorithms (i.e. CBC-based ciphers, weak MACs, etc.). Hence, I modified /etc/ssh/sshd_config, especially the lines starting with ciphers and macs to exclude the respective weak ciphers. As an example: I removed aes128-cbc,aes192-cbc, aes256-cbc from the Ciphers line in sshd_config and restarted the SSH server. So, when testing the new configuration there is a difference between connecting from within the system that provides the SSH service (i.e. ssh -vv localhost) the weak ciphers are not offered anymore (I look at the peer server KEXINIT proposal section). What is strange is, when connecting from an external system to the target (i.e. ssh -vv target_ip), the cbc-based ciphers are offered again. Is there some sort of second configuration file that overrides sshd_config or what am I missing? Thanks in advance.

I am trying to use the Secret Service (not NSA/CIA, but the Linux one, through secret-tool command) outside of X. I managed to use it with kwalletd and with keepassxc. But kwalletd needs KDE and hence graphic environment, and keepassxc is a pain because it asks for authorizations every-single-time it is used. Is there a way to use the Secret Service outside X?

I'm still new to linux, so please give me time if you need something from me. As the title says I cannot create new key pairs or import existing keys into Kleopatra 3.2.0.240501 (24.05.1). I've just done a system update (sudo pacman -Syu) before trying out the included application. When I try to import an existing key this error comes up:

/home/keys/xxxxxxxxxx_SECRET.asc(I18N_ARGUMENT_MISSING) (imported with gpg(I18N_ARGUMENT_MISSING))
Audit log is empty.

/home/keys/xxxxxxxxxx_SECRET.asc(I18N_ARGUMENT_MISSING) (imported with gpgsm(I18N_ARGUMENT_MISSING))
Audit log is empty.

(key name is censored by me, but the correct name is being used) Creating a new key pair gives this result:

The creation of a new OpenPGP certificate failed.

Error: /SQL library used incorrectly/

I've tried importing the same key in Windows or creating a new key pair and it worked without problems there (all keys were created with windows so far) Thank you for your help

I am using Rocky Linux 8 and 9 and they use the crypto-policy framework from Red Hat. Now I want to adjust some settings in the policy to forbid sshd to use some specific algorithms. But I can not figure out the names for these algorithms as they should be given to crypro-policy (I only know the names as openssh accepts them). I am writing a text file at /etc/crypto-policies/policies/modules/DEPRECATED-SSH-ALGOS.pmod and try to set my policy to DEFAULT:DEPRECATED-SSH-ALGOS in /etc/crypto-policies/config. The problem is the content of the DEPRECATED-SSH-ALGOS.pmod file. Some algorithms I can successfully deactivate and others I can't. In some cases I can easily guess the name that crypto-policy uses from the name that ssh uses. "Working" version of the file: ~~~ cipher@ssh = -AES-*-CBC mac@SSH = -*-SHA1 -HMAC-SHA2-256 -HMAC-SHA2-512 ~~~ but I would like to use something like this: ~~~ cipher@ssh = -AES-*-CBC mac@SSH = -*-SHA1 -HMAC-SHA2-256 -HMAC-SHA2-512 -UMAC-128@OPENSSH.COM key_exchange@SSH = -*-SHA1 -ECDH-SHA2-NISTP256 -ECDH-SHA2-NISTP384 -ECDH-SHA2-NISTP521 ~~~ but the crypto-policy framework complains that it does not know this algorithm, when I update-crypto-policies --set: ~~~ AlgorithmEmptyMatchError: Bad value of policy property key_exchange: ecdh-sha2-nistp256 Errors found in policy, first one: Bad value of policy property key_exchange: ECDH-SHA2-NISTP256 ~~~ # Question What are the names of the algorithms I can put in a crypto-policy file or where do I find these? Or: Given a ssh specific algorithm name, how can I figure out the crypto-policy name for that algorithm? ---------------- # EDIT I have since found the file /usr/share/crypto-policies/python/policygenerators/openssh.py on my Rocky machine which seems to map these names: ~~~python # ... kx_map = { 'ECDHE-SECP521R1-SHA2-512':'ecdh-sha2-nistp521', 'ECDHE-SECP384R1-SHA2-384':'ecdh-sha2-nistp384', 'ECDHE-SECP256R1-SHA2-256':'ecdh-sha2-nistp256', # ... } #... ~~~ The problem is that some of the names there did not work as well. Either of ~~~shell key_exchange@SSH = -ecdh-sha2-nistp256 # or key_exchange@SSH = -ECDHE-SECP256R1-SHA2-256 ~~~ results in `Bad value of policy property key_exchange when I update-crypto-policies --set`.

I recently learned that Linux supports Adiantum as a disk encryption cipher (run cryptsetup benchmark -c xchacha20,aes-adiantum-plain64 to try it out on your system). While Adiantum is primarily meant to provide faster disk encryption for low-end devices that do not support hardware AES acceleration, it is also a wide block cipher mode, meaning that a single bit flip in the ciphertext randomizes an entire sector of plaintext, whereas in AES-XTS mode (the current recommended cipher when AES acceleration is available) a single bit flip in the ciphertext randomizes only a 16 byte block of plaintext. That gives a potential attacker much more granularity and block boundaries to work with. So in this respect Adiantum is strictly more secure than AES-XTS. Adiantum is a construction built from a hash, a bulk cipher and a block cipher. The currently available variants in my Linux kernel (v5.4) use ChaCha12 or ChaCha20 as bulk cipher. For the intended use on devices without hardware AES acceleration that is great, but now I also want to use it on my laptop with AES acceleration where AES-XTS is about twice as fast as Adiantum. Are there any wide block ciphers for disk encryption optimized for hardware AES acceleration available for Linux, or being worked on? @anyone from the future, if the answer is 'no' at the time I'm writing this but has changed by the time you read this question, please do post an answer with the updates at your time.

I run:

gpg --list-keys

I get:

pub   rsa1024 2014-01-26 [C]
      
uid           [ unknown] Totally Legit Signing Key

Can this be dangerous? What is this? The address mallory@example.org is confusing.

In order to verify a password hash we can use openssl passwd as shown below and explained here

passwd $HASHING-ALGORITHM -salt j9T$F31F/jItUvvjOv6IBFNea/ $CLEAR-TEXT-PASSWORD

However, this will work only for the following algorithm: md5, crypt, apr1, aixmd5, SHA-256, SHA-512 How to calculate the hashing password, from bash or python or nodeJS for a $CLEAR-TEXT-PASSWORD, with salt using yescrypt ?

With a public key as **PEM**, how can this be converted to **DER** format using **openssl**? Please note that this is not a x509 certificate. Also this question is about EC (ECDSA) public keys not RSA and using **openssl** not C, C++ or some other programming language

-----BEGIN PUBLIC KEY-----
xxx
-----END PUBLIC KEY-----

I need to perform the following Java snippet using OpenSSL from the command line:

private byte[] hmacSha256(byte[] key, byte[] payload) throws GeneralSecurityException {
    Mac mac = Mac.getInstance("HmacSHA256");
    mac.init(new SecretKeySpec(key, "HmacSHA256"));
    mac.update(payload);
    return mac.doFinal();
  }

These are the test values that are working with Java but not with OpenSSL:

KEY_BASE64="xtztqVgjD+5VHL4rVeKYm0USpDJTEy5Tjc9aK6I/oV0="
KEY_HEX="c6dceda958230fee551cbe2b55e2989b4512a43253132e538dcf5a2ba23fa15d"
PAYLOAD_BASE64="j9F8TrzCabcDoLdHUDaUuv6ea224xikwbPF1IW0OjkY="
DIGEST_HEX="c2ec711448a4f5bb851279eca0a628847254855966ad09de7e734b7df48e198a"

I already tried this answer but I got different results. It looked like this:

$ echo $PAYLOAD_BASE64 | base64 -d | openssl dgst -sha256 -hmac -hex -macopt hexkey:$KEY_HEX
(stdin)= 93d5555dbf95873441ccc63f9a4bc361e6f291f7b0a81db4edc35b8212b04dad

It does provide me an output in hex format, but the value doesn't match what I get when running that Java snippet with the same payload and key value. I could also use another command line tool, as long as it's widely available in most Linux default package managers lists.

I need to encrypt some data using aes-256-ecb since a backend code expects it as a configuration. I'm able to encrypt using a key which is derived from a passphrase using: openssl enc -p -aes-256-ecb -nosalt -pbkdf2 -base64 -in data-plain.txt -out data-encrypted.txt | sed 's/key=//g' This encrypts using derived key and outputs the key in console. However, I couldn't find how to do it with a generated key, something like: 1. Generate a 256-bit key using: openssl rand -base64 32 > key.data 2. Then use this key during encryption, with something like: openssl enc -p -aes-256-ecb **-key=key.data** -nosalt -pbkdf2 -base64 -in data-plain.txt -out data-encrypted.txt Is this possible?

$ ssh 192.168.29.126 The authenticity of host '192.168.29.126 (192.168.29.126)' can't be established. ECDSA key fingerprint is SHA256:1RG/OFcYAVv57kcP784oaoeHcwjvHDAgtTFBckveoHE. Are you sure you want to continue connecting (yes/no/[fingerprint])? What is the "fingerprint" it is asking for?

If entropy is not accounted for, and the pool doesn't block even if insufficient entropy has been supplied, isn't it potentially insecure?

For a class on cryptography, I am trying to drain the entropy pool in Linux (e.g. make /proc/sys/kernel/random/entropy_avail go to 0 and block a command reading from /dev/random) but I can't make it happen. I'm supposed to get reads from /dev/random to block. If I execute these two commands:

watch -n 0.5 cat /proc/sys/kernel/random/entropy_avail

to watch entropy and then:

od -d /dev/random

to dump the random pool, the value from the watch command hovers between 3700 and 3900, and gains and loses only a little while I run this command. I let both commands run for about three minutes with no discernible substantial change in the size of entropy_avail. I didn't do much on the computer during that time. From googling around I find that perhaps a hardware random number generator could be so good that the entropy won't drop but if I do:

cat /sys/devices/virtual/misc/hw_random/rng_available

I see nothing, I just get a blank line. So I have a few questions: 1. What's replenishing my entropy so well, and how can I find the specific source of randomness? 2. Is there any way to temporarily disable sources of randomness so I can force this blocking to happen?

I am trying to install nacl crypto on my system: % uname -a Linux (none) 2.6.39-ARCH #1 SMP PREEMPT Mon Jun 6 22:37:55 CEST 2011 x86_64 Intel(R) Core(TM) i5 CPU M 540 @ 2.53GHz GenuineIntel GNU/Linux But the build process didn't succeed: ~/nacl-20110221 % ./do ./do: line 9: hostname: command not found Did I forget something? **[update]** % cat /etc/hosts # # /etc/hosts: static lookup table for host names # # 127.0.0.1 localhost.localdomain localhost ::1 localhost.localdomain localhost # End of file

Unable to negotiate with 129.107.56.23 port 22: no matching key exchange method found. Their offer: Diffie-hellman-group-exchange-sha1,Diffie-hellman-group14-sha1,Diffie-hellman-group1-sha1

sha1sum outputs a hex encoded format of the actual sha. I would like to see a base64 encoded variant. possibly some command that outputs the binary version that I can pipe, like so: echo -n "message" | | base64 or if it outputs it directly that's fine too.

Suppose I try to verify the checksum of a file using:

echo '760382d5e8cdc5d0d079e8f754bce1136fbe1473be24bb885669b0e38fc56aa3  emacs-26.1.tar.gz' | \
  sha256sum --check

If the file is corrupt and the checksum is wrong, sha256sum will show this message:

emacs-26.1.tar.gz: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match

I would like to know the actual checksum of the file (i.e. incorrect checksum that caused this error message). What are my options? If possible, I do not want to compute the checksum twice (once to see the "FAILED" message, and a second time to see the incorrect checksum). (OS: Ubuntu 20.04)