update-crypto-policies bricks RHEL 9 after reboot...
A couple of users reached out and said they could not SSH to a specific server. I was already SSH'd into that server and was having no issues. I saw the following error for SSSD:
Failed to initialize credentials using keytab [MEMORY:/etc/krb5]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
I found an answer online that said the following:
-In RHEL8 and RHEL9 krb5 does not support RC4 anymore. In cases
where this old and
unsecured cipher is being used then as a workaround, load the 'AD-
SUPPORT' crypto
policy on top of the 'DEFAULT' policy in RHEL8 and AD-SUPPORT-
LEGACY crypto policy on
top of the 'DEFAULT' policy in RHEL9 .
-To enable the AD-SUPPORT subpolicy in addition to the DEFAULT
cryptographic policy in
RHEL8.
The recommended solution was "sudo update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY"
After rebooting, no account could log in. Not even root.
We are still able to mount the filesystem from the recovery environment.
A coworker said this can happen when FIPS mode is active.
Is there a way to manually fix this once mounted to the filesystem? Is there a configuration file that can be changed? Or, is there an option that can be added to the kernel selection at startup that will disable FIPS if you think that will allow us to log in again?