Skip to content

fix(util): Fix default key exchange algorthims used for SSH connection to be FIPS compliant #24086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 14, 2025
Merged

fix(util): Fix default key exchange algorthims used for SSH connection to be FIPS compliant #24086

merged 1 commit into from
Aug 14, 2025

Conversation

anandf
Copy link
Member

@anandf anandf commented Aug 9, 2025
edited
Loading

Fixes #24155

Needs to be backported to release-3.0 and release-3.1 branches which uses go1.24 or later for compilation.

Argo CD uses hard coded default Key exchange algorithims for SSH. In FIPS enabled cluster, some of these algorithim is not supported. When one such algorithm is used (curve25519), the repo server fails to connect to the SSH host and crashes with a panic. panic: curve25519: internal error: scalarBaseMult was not 32 bytes

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Title of the PR
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@bunnyshell Bunnyshell
Copy link

bunnyshell bot commented Aug 9, 2025
edited
Loading

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

  • 🚀 /bns:deploy to deploy the environment

@codecov Codecov
Copy link

codecov bot commented Aug 9, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 50.00000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.09%. Comparing base (b2b6d98) to head (adc1fe9).
⚠️ Report is 1 commits behind head on master.

Files with missing lines Patch % Lines
util/git/ssh.go 50.00% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #24086      +/-   ##
==========================================
- Coverage   60.15%   60.09%   -0.06%     
==========================================
  Files         347      347              
  Lines       59857    59862       +5     
==========================================
- Hits        36004    35976      -28     
- Misses      20968    20991      +23     
- Partials     2885     2895      +10

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@anandf anandf marked this pull request as ready for review August 13, 2025 08:44
@anandf anandf requested a review from a team as a code owner August 13, 2025 08:44
@anandf anandf force-pushed the fix_fips_ssh_issue branch from c3bbe7d to 2473665 Compare August 13, 2025 08:44
jannfis
jannfis reviewed Aug 13, 2025
View reviewed changes
@anandf
Fix default key exchange algorthims used for SSH connection to be FIP…
adc1fe9 
…S compliant

Signed-off-by: anandf <anjoseph@redhat.com>
@anandf anandf force-pushed the fix_fips_ssh_issue branch from 2473665 to adc1fe9 Compare August 14, 2025 12:18
jannfis
jannfis approved these changes Aug 14, 2025
View reviewed changes
Copy link
Member

@jannfis jannfis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks

@jannfis jannfis enabled auto-merge (squash) August 14, 2025 12:21
@jannfis jannfis merged commit a8cae97 into argoproj:master Aug 14, 2025
27 checks passed
@blakepettersson
Copy link
Member

@anandf can you open cherry-pick PRs for 3.0 and 3.1?

@blakepettersson blakepettersson mentioned this pull request Aug 15, 2025
Closed
3 tasks
anandf added a commit to anandf/argo-cd that referenced this pull request Aug 15, 2025
@anandf
fix(util): Fix default key exchange algorthims used for SSH connectio…
6efe37b 
…n to be FIPS compliant (argoproj#24086)

Signed-off-by: anandf <anjoseph@redhat.com>
@anandf anandf mentioned this pull request Aug 15, 2025
Merged
14 tasks
anandf added a commit to anandf/argo-cd that referenced this pull request Aug 15, 2025
@anandf
fix(util): Fix default key exchange algorthims used for SSH connectio…
3e0b953 
…n to be FIPS compliant (argoproj#24086)

Signed-off-by: anandf <anjoseph@redhat.com>
@anandf anandf mentioned this pull request Aug 15, 2025
Merged
14 tasks
blakepettersson pushed a commit that referenced this pull request Aug 15, 2025
@anandf
fix(util): Fix default key exchange algorthims used for SSH connectio…
274ab28 
…n to be FIPS compliant (#24086) (cherry-pick 3.0) (#24165)

Signed-off-by: anandf <anjoseph@redhat.com>
blakepettersson pushed a commit that referenced this pull request Aug 15, 2025
@anandf
fix(util): Fix default key exchange algorthims used for SSH connectio…
fdd0991 
…n to be FIPS compliant (#24086) (cherry-pick 3.1) (#24166)

Signed-off-by: anandf <anjoseph@redhat.com>
@anandf anandf mentioned this pull request Aug 19, 2025
Open
enneitex pushed a commit to enneitex/argo-cd that referenced this pull request Aug 24, 2025
@anandf @enneitex
fix(util): Fix default key exchange algorthims used for SSH connectio…
9ca7b39 
…n to be FIPS compliant (argoproj#24086)

Signed-off-by: anandf <anjoseph@redhat.com>
Signed-off-by: enneitex <etienne.divet@gmail.com>
downfa11 pushed a commit to downfa11/argo-cd that referenced this pull request Aug 25, 2025
@anandf @downfa11
fix(util): Fix default key exchange algorthims used for SSH connectio…
f3ac5d0 
…n to be FIPS compliant (argoproj#24086)

Signed-off-by: anandf <anjoseph@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jannfis jannfis jannfis approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

repo server panics when using SSH based repo URL in FIPS mode enabled cluster
3 participants
@anandf @blakepettersson @jannfis