View Issue Details

IDProjectCategoryView StatusLast Update
0016720CentOS-8-OTHERpublic2019-11-12 06:19
Reportershesh.pragada@broadcom.com 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version8.0.1905 
Target VersionFixed in Version 
Summary0016720: FIPS mode for centos8 does not allow SSHD to accept ssh-rsa keys
DescriptionUpon activating the fips mode via fips-mode-setup --enable, the SSH server does not accept ssh-rsa keys.

The default SSH configuration in FIPS mode is as following (/etc/crytpo-policies/back-ends/opensshserver.config

CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521'

The list of PubkeyAcceptedKeyTypes does not list the "ssh-rsa" type.

Tested connectivity with key-sizes of 2048 and 4096. Connection is successful if configuration is changed to include ssh-rsa.

1. Is the default configuration correct? Does FIPS mode require ssh-rsa keys to be rejected even if using a keysize of 2048?
2. What are options to use RSA keys in FIPS keys? rsa-sha2-256?




Steps To Reproduce1. Add an ssh-rsa key to .ssh/authorized_keys for an account
2. $> fips-mode-setup --enable
3. Restart the system and try to connect to the account using the ssh-rsa key
Tagsfips, ssh, ssh-rsa

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-11-12 06:19 shesh.pragada@broadcom.com New Issue
2019-11-12 06:19 shesh.pragada@broadcom.com Tag Attached: fips
2019-11-12 06:19 shesh.pragada@broadcom.com Tag Attached: ssh
2019-11-12 06:19 shesh.pragada@broadcom.com Tag Attached: ssh-rsa