Merge pull request #184 from wazuh/bug/178-ova-cant-ssh-to-the-vm

Changed ssh config file to allow ssh while FIPS is activated
wazuh · Jan 30, 2025 · f104092 · f104092
2 parents ceaa0e3 + 2f13ccb
commit f104092
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,6 +16,7 @@ All notable changes to this project will be documented in this file.
 
 ### Fixed
 
+- Changed ssh config file to allow ssh while FIPS is activated. ([#184](https://github.com/wazuh/wazuh-virtual-machines/pull/184))
 - Fixed Vagrant synced folder error in OVA. ([#183](https://github.com/wazuh/wazuh-virtual-machines/pull/183))
 - Fix the ova workflow for stages support and AWS instance deletion. ([#175](https://github.com/wazuh/wazuh-virtual-machines/pull/176))
 - Fixed the OVA workflow to add support in stages. ([#173](https://github.com/wazuh/wazuh-virtual-machines/pull/173))

diff --git a/ova/workflow_assets/ova_configurer.py b/ova/workflow_assets/ova_configurer.py
@@ -76,6 +76,32 @@ def create_network_config():
         subprocess.run("sudo systemctl restart systemd-networkd", shell=True, check=True)
 
 
+def change_ssh_config():
+    """
+    Changes the /etc/crypto-policies/back-ends/opensshserver.config file to make the ssh compatible with FIPS
+    """
+    config_path = "/etc/crypto-policies/back-ends/opensshserver.config"
+    new_values = {
+        "Ciphers": "Ciphers [email protected],[email protected]",
+        "MACs": "MACs hmac-sha2-256,hmac-sha2-512",
+        "GSSAPIKexAlgorithms": "GSSAPIKexAlgorithms gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-",
+        "KexAlgorithms": "KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521"
+    }
+
+    with open(config_path, "r") as file:
+        lines = file.readlines()
+
+    with open(config_path, "w") as file:
+        for line in lines:
+            key = line.split()[0] if line.strip() else ""
+            if key in new_values:
+                file.write(new_values[key] + "\n")
+            else:
+                file.write(line)
+
+    subprocess.run("sudo systemctl restart sshd", shell=True, check=True)
+
+
 def clean():
     """
     Cleans the VM after the installation
@@ -130,6 +156,7 @@ def main():
     build_wazuh_install("/home/ec2-user/wazuh-installation-assistant", args.wia_branch)
     run_provision_script(args.wvm_branch, args.repository, args.debug)
     create_network_config()
+    change_ssh_config()
     clean()
 
 if __name__ == "__main__":