View Issue Details

IDProjectCategoryView StatusLast Update
0016720CentOS-8-OTHERpublic2020-10-21 19:08 
Status newResolutionopen 
Product Version8.0.1905 
Target VersionFixed in Version 
Summary0016720: FIPS mode for centos8 does not allow SSHD to accept ssh-rsa keys
DescriptionUpon activating the fips mode via fips-mode-setup --enable, the SSH server does not accept ssh-rsa keys.

The default SSH configuration in FIPS mode is as following (/etc/crytpo-policies/back-ends/opensshserver.config

CRYPTO_POLICY=',aes256-ctr,aes256-cbc,,aes128-ctr,aes128-cbc,,,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=rsa-sha2-256,,ecdsa-sha2-nistp256,,ecdsa-sha2-nistp384,,rsa-sha2-512,,ecdsa-sha2-nistp521, -oPubkeyAcceptedKeyTypes=rsa-sha2-256,,ecdsa-sha2-nistp256,,ecdsa-sha2-nistp384,,rsa-sha2-512,,ecdsa-sha2-nistp521, -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521'

The list of PubkeyAcceptedKeyTypes does not list the "ssh-rsa" type.

Tested connectivity with key-sizes of 2048 and 4096. Connection is successful if configuration is changed to include ssh-rsa.

1. Is the default configuration correct? Does FIPS mode require ssh-rsa keys to be rejected even if using a keysize of 2048?
2. What are options to use RSA keys in FIPS keys? rsa-sha2-256?

Steps To Reproduce1. Add an ssh-rsa key to .ssh/authorized_keys for an account
2. $> fips-mode-setup --enable
3. Restart the system and try to connect to the account using the ssh-rsa key
Tagsfips, ssh, ssh-rsa




2020-03-17 06:42

reporter   ~0036524

I recently spoke to Renaud M├ętrich from Red Hat and he advised me that

"Our engineering team confirms that ssh-rsa is *not* FIPS compliant.
It was tolerated in RHEL 7, but not in RHEL 8 anymore.
Please regenerate a key with another algorithm, for example: "ECDSA" with curve "nistp256"

Red Hat also cited Table 8 of for the reason behind its deprecation.


2020-10-21 19:08

reporter   ~0037816

The referenced table is regarding hashing algorithms.

Table 8 says that SHA-2 family (SHA-224, through SHA-512) are acceptable for all hash functions.

Table 2 says that RSA <= 2048 is disallowed for Digital Signature Generation, and is legacy use for Digital Signature Verification.
RSA > 2048 is Acceptable for both.

The ssh-rsa format is flexible, and so: `ssh-keygen -t rsa -b 4096 -E sha512` generates an ssh-rsa public/private key pair that should technically be FIPS compliant.

This would, however, have to be checked during the SSH handshake. Blocking ssh-rsa essentially takes the easy way out by blocking both non-compliant and compliant keys, and only allowing formats that only permit compliant keys. I believe with open ssh, allowing compliant RSA keys would likely require modifying source code and rebuilding (SSH_RSA_MINIMUM_MODULUS_SIZE).

Personally, it's actually rather sad that FIPS is pushing ECDSA with the NIST curves.

Issue History

Date Modified Username Field Change
2019-11-12 06:19 New Issue
2019-11-12 06:19 Tag Attached: fips
2019-11-12 06:19 Tag Attached: ssh
2019-11-12 06:19 Tag Attached: ssh-rsa
2020-03-17 06:42 alau Note Added: 0036524
2020-10-21 19:08 mandrachek Note Added: 0037816