View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0016720||CentOS-8||-OTHER||public||2019-11-12 06:19||2020-10-21 19:08|
|Summary||0016720: FIPS mode for centos8 does not allow SSHD to accept ssh-rsa keys|
|Description||Upon activating the fips mode via fips-mode-setup --enable, the SSH server does not accept ssh-rsa keys.|
The default SSH configuration in FIPS mode is as following (/etc/crytpo-policies/back-ends/opensshserver.config
CRYPTO_POLICY='-oCiphersfirstname.lastname@example.org,aes256-ctr,aes256-cbc,email@example.com,aes128-ctr,aes128-cbc -oMACsfirstname.lastname@example.org,email@example.com,firstname.lastname@example.org,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=rsa-sha2-256,email@example.com,ecdsa-sha2-nistp256,firstname.lastname@example.org,ecdsa-sha2-nistp384,email@example.com,rsa-sha2-512,firstname.lastname@example.org,ecdsa-sha2-nistp521,email@example.com -oPubkeyAcceptedKeyTypes=rsa-sha2-256,firstname.lastname@example.org,ecdsa-sha2-nistp256,email@example.com,ecdsa-sha2-nistp384,firstname.lastname@example.org,rsa-sha2-512,email@example.com,ecdsa-sha2-nistp521,firstname.lastname@example.org -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521'
The list of PubkeyAcceptedKeyTypes does not list the "ssh-rsa" type.
Tested connectivity with key-sizes of 2048 and 4096. Connection is successful if configuration is changed to include ssh-rsa.
1. Is the default configuration correct? Does FIPS mode require ssh-rsa keys to be rejected even if using a keysize of 2048?
2. What are options to use RSA keys in FIPS keys? rsa-sha2-256?
|Steps To Reproduce||1. Add an ssh-rsa key to .ssh/authorized_keys for an account|
2. $> fips-mode-setup --enable
3. Restart the system and try to connect to the account using the ssh-rsa key
|Tags||fips, ssh, ssh-rsa|
I recently spoke to Renaud Métrich from Red Hat and he advised me that
"Our engineering team confirms that ssh-rsa is *not* FIPS compliant.
It was tolerated in RHEL 7, but not in RHEL 8 anymore.
Please regenerate a key with another algorithm, for example: "ECDSA" with curve "nistp256"
Red Hat also cited Table 8 of https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf for the reason behind its deprecation.
The referenced table is regarding hashing algorithms.
Table 8 says that SHA-2 family (SHA-224, through SHA-512) are acceptable for all hash functions.
Table 2 says that RSA <= 2048 is disallowed for Digital Signature Generation, and is legacy use for Digital Signature Verification.
RSA > 2048 is Acceptable for both.
The ssh-rsa format is flexible, and so: `ssh-keygen -t rsa -b 4096 -E sha512` generates an ssh-rsa public/private key pair that should technically be FIPS compliant.
This would, however, have to be checked during the SSH handshake. Blocking ssh-rsa essentially takes the easy way out by blocking both non-compliant and compliant keys, and only allowing formats that only permit compliant keys. I believe with open ssh, allowing compliant RSA keys would likely require modifying source code and rebuilding (SSH_RSA_MINIMUM_MODULUS_SIZE).
Personally, it's actually rather sad that FIPS is pushing ECDSA with the NIST curves.
|2019-11-12 06:email@example.com||New Issue|
|2019-11-12 06:firstname.lastname@example.org||Tag Attached: fips|
|2019-11-12 06:email@example.com||Tag Attached: ssh|
|2019-11-12 06:firstname.lastname@example.org||Tag Attached: ssh-rsa|
|2020-03-17 06:42||alau||Note Added: 0036524|
|2020-10-21 19:08||mandrachek||Note Added: 0037816|