What were you trying to do that didn't work?
Enable mlkem768x25519-sha256 in crypto-policies (https://issues.redhat.com/browse/RHEL-151499)
What is the impact of this issue to you?
Can't enable it in 9 PQ for fears that someone might be driving FIPS:PQ.
That leaves 9.8 without PQ SSH unless one forces an algorithm.
Please provide the package NVR for which the bug is seen:
openssh-9.9p1-3.el9
How reproducible is this bug?:
reliably
Steps to reproduce
- be in FIPS mode
- update-crypto-policies --set FIPS:PQ
Expected results
the algorithm is skipped, connections happen with a different kex, sshd doesn't just crash
Actual results
your ssh complains that "mlkem768x25519-sha256" is not allowed in FIPS mode, and your sshd is down
- blocks
-
RHEL-151499 enable mlkem768x25519-sha256 for RHEL-9 openssh
-
- Planning
-
- is blocked by
-
RHEL-151579 openssh explodes with FIPS:TEST-PQ in FIPS
-
- Planning
-