 |
I recently spoke to Renaud Métrich from Red Hat and he advised me that "Our engineering team confirms that ssh-rsa is *not* FIPS compliant. It was tolerated in RHEL 7, but not in RHEL 8 anymore. Please regenerate a key with another algorithm, for example: "ECDSA" with curve "nistp256" Red Hat also cited Table 8 of https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf for the reason behind its deprecation. |
|
|
The referenced table is regarding hashing algorithms. Table 8 says that SHA-2 family (SHA-224, through SHA-512) are acceptable for all hash functions. Table 2 says that RSA <= 2048 is disallowed for Digital Signature Generation, and is legacy use for Digital Signature Verification. RSA > 2048 is Acceptable for both. The ssh-rsa format is flexible, and so: `ssh-keygen -t rsa -b 4096 -E sha512` generates an ssh-rsa public/private key pair that should technically be FIPS compliant. This would, however, have to be checked during the SSH handshake. Blocking ssh-rsa essentially takes the easy way out by blocking both non-compliant and compliant keys, and only allowing formats that only permit compliant keys. I believe with open ssh, allowing compliant RSA keys would likely require modifying source code and rebuilding (SSH_RSA_MINIMUM_MODULUS_SIZE). Personally, it's actually rather sad that FIPS is pushing ECDSA with the NIST curves. |
- Anonymous
