Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.0.beta
Affects Version/s: rhel-10.0.beta
Component/s: openssh
Labels:

Fixed in Build:
openssh-9.8p1-2.el10.0
Regression:
None
Severity:
None
Epic Link:
CRYPTO-14341
sprint_count:
1

Pool Team:

sst_security_crypto
Sub-System Group:

ssg_security

Internal Target Milestone:
26
Story Points:
0.5
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
Crypto24Q3

Acceptance Criteria:

Hide

AC: ssh-keygen uses RSA as default algorithms in FIPS mode

Show
AC: ssh-keygen uses RSA as default algorithms in FIPS mode
Preliminary Testing:
Pass
Test Link:
https://pkgs.devel.redhat.com/cgit/tests/openssh/tree/Regression/RHEL-37324-ssh-keygen-uses-RSA-as-default-in-FIPS-mode
Errata Link:
https://errata.engineering.redhat.com/advisory/134333
Gating Tests:

Not Needed
Test Coverage:

Automated

Release Note Type:
Enhancement
Release Note Text:

Hide
.OpenSSH in FIPS mode generates RSA keys by default

In previous versions, the `ssh-keygen` utility in OpenSSH generated RSA keys by default. In the versions provided with RHEL 10, `ssh-keygen` generates ed25519 keys by default in non-FIPS mode and RSA keys by default in FIPS mode.

Show
.OpenSSH in FIPS mode generates RSA keys by default In previous versions, the `ssh-keygen` utility in OpenSSH generated RSA keys by default. In the versions provided with RHEL 10, `ssh-keygen` generates ed25519 keys by default in non-FIPS mode and RSA keys by default in FIPS mode.
Release Note Status:
Done

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

ssh-keygen defaults to generating ed25519 keys
ed25519 algorithm is not allowed when FIPS mode is enabled
running "ssh-keygen" with no extra options always just errors out when FIPS is enabled

Please provide the package NVR for which bug is seen:

openssh-9.6p1-1.el10.2.x86_64
crypto-policies-20240202-1.git283706d.el10.noarch

How reproducible:

always

Steps to reproduce

[root@virt-002:~]$ fips-mode-setup --check
FIPS mode is enabled.
[root@virt-002:~]$ ssh-keygen
ED25519 keys are not allowed in FIPS mode
[root@virt-002:~]$ echo $?
255

Expected results

enabling FIPS mode should switch the ssh-keygen's default algorithm to a FIPS-compliant one

Actual results

ssh-keygen errors out, unless a FIPS-compliant algorithm is manually selected

links to

RHBA-2024:134333 openssh bug fix and enhancement update

mentioned on

Merge request - runtest: explicitly request RSA keytype in ssh-keygen

Assignee:: Dmitry Belyavskiy

Reporter:: Patrik Hagara

Developer:: Dmitry Belyavskiy

QA Contact:: Miluse Bezo Konecna

Doc Contact:: Jan Fiala

Votes:: 1 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2024/05/20 3:18 PM

Updated:: 2024/10/24 12:16 PM

Target end:: 2024/08/26

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates