[xCAT-server]Change DNS/DHCP control key algorithm MD5 -> SHA512

[samveen]

The PR is to fix issue #6757

The modification include

• Change all omshell access to use key-algorithm hmac-sha512 instead of the default hmac-md5
• Change named/dhcpd config generating code to use algorithm hmac-sha512 instead of hmac-md5

The UT result

I don't have a test environment for this, so nothing tested.

[cxhong]

@samveen , thanks.
I modified /opt/xcat/share/xcat/tools/dhcpop and ran a test to remove mac from lease file

]# /opt/xcat/share/xcat/tools/dhcpop -r -n mid08tor03cn01
<STDIN> line 1: unknown token: key-algorithm
key-algorithm
^
# diff dhcpop dhcpop.orig
42d41
<     print $omshell "key-algorithm HMAC-SHA512\n";

I tried on both rhel8 and rhel7 system, both failed

[cxhong]

@samveen , did u have chance to look into this PR? even without enable FIPS, this modification didn't work from my testing.

[samveen]

@cxhong would you give me the output or rpm -qf $(which omshell) in the environment where the testing failed?

[cxhong]

on the redhat7.7:

# which omshell
/usr/bin/omshell
# rpm -qf /usr/bin/omshell
dhcp-4.2.5-77.el7.ppc64le

[kjhee43]

@cxhong what's the latest status of this patch? Any update to get it working?

[samveen]

@kjhee43 @cxhong I unfortunately don't have access to a test environment anymore, so I am unable to test this to make a fix.

Is there a test environment that I can access to test this on?

[kjhee43]

@samveen I dont have one you can access. Can you provide me the patch to test?

[cxhong]

@samveen , we don't have system for public access.
@kjhee43 , the patch is in this PR. https://github.com/xcat2/xcat-core/pull/6797.patch you can manually modified the changes on your xCAT management node.

[ddo262]

@cxhong redhat release a fix for rhel 8 where you can change the omshell algroithm.
https://bugzilla.redhat.com/show_bug.cgi?id=1883999

[samveen]

This is stale, (and badly implemented), and #7389 fixes the issue in a more structured way. Closing.