From 34a9e18812942820bccd527d5cc4b47538c9812a Mon Sep 17 00:00:00 2001
From: Pedro Algarvio <pedro@algarvio.me>
Date: Fri, 22 Mar 2024 06:12:57 +0000
Subject: [PATCH] Properly configure the SSHD server when FIPS is
 enabled/enforced on a system

Fixes #179
---
 changelog/179.bugfix.rst          |  1 +
 src/saltfactories/daemons/sshd.py | 37 +++++++++++++++++++++++++++++--
 2 files changed, 36 insertions(+), 2 deletions(-)
 create mode 100644 changelog/179.bugfix.rst

diff --git a/changelog/179.bugfix.rst b/changelog/179.bugfix.rst
new file mode 100644
index 00000000..98e9e524
--- /dev/null
+++ b/changelog/179.bugfix.rst
@@ -0,0 +1 @@
+Properly configure the SSHD server when FIPS is enabled/enforced on a system
diff --git a/src/saltfactories/daemons/sshd.py b/src/saltfactories/daemons/sshd.py
index 0deed01b..1d2dde54 100644
--- a/src/saltfactories/daemons/sshd.py
+++ b/src/saltfactories/daemons/sshd.py
@@ -86,6 +86,41 @@ def __attrs_post_init__(self):
             "PidFile": self.config_dir / "sshd.pid",
             "AuthorizedKeysFile": authorized_keys_file,
         }
+        if platform.is_fips_enabled():
+            log.info(
+                "Adding additional default configuration to support FIPS which is "
+                "enabled on the system"
+            )
+            _default_config.update(
+                {
+                    "Ciphers": (
+                        "aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc"
+                    ),
+                    "MACs": (
+                        "hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,"
+                        "hmac-sha2-256,hmac-sha1,hmac-sha2-512"
+                    ),
+                    "KexAlgorithms": (
+                        "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,"
+                        "diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512"
+                    ),
+                    "HostKeyAlgorithms": (
+                        "ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,"
+                        "ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,"
+                        "ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,"
+                        "rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com"
+                    ),
+                    "PubkeyAcceptedKeyTypes": (
+                        "ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,"
+                        "ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,"
+                        "ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,"
+                        "rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com"
+                    ),
+                    "CASignatureAlgorithms": (
+                        "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512"
+                    ),
+                }
+            )
         if self.sshd_config_dict:
             _default_config.update(self.sshd_config_dict)
         self.sshd_config = _default_config
@@ -231,8 +266,6 @@ def get_host_keys(self):
                 self._ssh_keyscan_path,
                 "-p",
                 str(self.listen_port),
-                "-t",
-                "rsa,dsa,ecdsa,ed25519",
                 self.listen_address,
             ]
             try: