Duo Unix 2.x RPM Digests on RHEL 8 with FIPS enabled
gt-jpdied opened this issue · 7 comments
Summary
Even with the new package signature, the digests in the RPM package used by RHEL 8, rpm/dnf is still not able to install and the work around per the support article (https://help.duo.com/s/article/6194?language=en_US) is needed to install/update duo.
Steps to reproduce
- Install the Duo Repo
- Run
dnf install duo_unix
Specs
- OS version (ie CENTOS 7 or Ubuntu 14): RHEL 8.7
- OS arch (ie 32 or 64): x64
- Using pam_duo or login_duo: Both
Did you try this on a fresh RHEL 8 box/VM, or one that you had previously tried to install on? Internally we were only able to reproduce this in the second case, but a new box with the published workaround was able to install the package. Hopefully that would work for you as well.
One that was already running; its been configured with FIPS per RHEL's FIPS Setup (# fips-mode-setup --enable) and the digest is still rejected. I had to use the workaround which makes it hard to manage multiple systems as I have to write a custom script just to handle Duo on yum/dnf updates.
FIPS seems to be part of the problem - we could reproduce the issue with FIPS enabled. We'll see what we can figure out. Thanks for reporting this.
After looking into this further it's unlikely that this is related to the signature. When installing the RPM in FIPS mode I get the following error
$ sudo rpm --install duo_unix-2.0.0-0.el8.x86_64.rpm
erro: unpacking of archive failed on file /etc/duo/login_duo.conf;63bedf4e: cpio: Digest mismatch
error: duo_unix 0:2.0.0-0.el8.x86_64: install failed
I'll continue to look into why this only is occurring in FIPS mode
This did end up being a file digest issue. The RPM build spec file wrongly listed MD5 as the _binary_filedigest_algorithm I'll work on getting a fixed package up shortly.
Even using the correct digest algorithm we're still having issues. Please bear with us.
We believe this was resolved, please reopen it if it was not.