On FIPS enforcing systems that prohibit the use of MD5, tl-mount-localdrives won't work. I tested this on a RHEL 9 machine with FIPS mode enabled using server build 3537 and client build 3435. Creating a session with a shared local drive will crash tl-mount-localdrives with the following in xinit.log: > Running /opt/thinlinc/etc/xstartup.d/40-tl-mount-localdrives (Mounting local drives) > Traceback (most recent call last): > File "/opt/thinlinc/etc/xstartup.d/40-tl-mount-localdrives", line 402, in <module> > I1iO0OOOOoO0o ( ) > File "/opt/thinlinc/etc/xstartup.d/40-tl-mount-localdrives", line 379, in I1iO0OOOOoO0o > Ii1i11 = ii1iII1II1I . get_otp ( o0o ) . encode ( 'utf-8' ) > File "/opt/thinlinc/etc/xstartup.d/40-tl-mount-localdrives", line 125, in get_otp > ooooo = hashlib . md5 ( Ii1iI1111Iii1 + password ) . hexdigest ( ) > ValueError: [digital envelope routines] unsupported It seems like unfs3 uses MD5 digests for one-time passwords [1]. I had a brief look at our codebase and found places where we use hashlib.md5() * poppler/regtest/__init__.py - Not sure how/where this is used, and if it can affect us. * Cheetah/CacheRegion.py - md5 is used in the function getCacheItem() [2]. It doesn't look like we use caches in our templates. [1] https://github.com/unfs3/unfs3/blob/9ed6a635fafc43fd97d8977a9ea4f075dde8c96e/password.c#L107 [2] https://cheetahtemplate.org/api/Cheetah.CacheRegion.html
Works well on a fips-enabled Ubuntu 22.04. https://ubuntu.com/security/certifications/docs/2204/fips
