Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-37324

ssh-keygen defaults to ed25519 even in FIPS mode

    • openssh-9.8p1-2.el10.0
    • None
    • None
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 26
    • 0.5
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto24Q3
    • Enhancement
    • Hide
      .OpenSSH in FIPS mode generates RSA keys by default

      In previous versions, the `ssh-keygen` utility in OpenSSH generated RSA keys by default. In the versions provided with RHEL 10, `ssh-keygen` generates ed25519 keys by default in non-FIPS mode and RSA keys by default in FIPS mode.
      Show
      .OpenSSH in FIPS mode generates RSA keys by default In previous versions, the `ssh-keygen` utility in OpenSSH generated RSA keys by default. In the versions provided with RHEL 10, `ssh-keygen` generates ed25519 keys by default in non-FIPS mode and RSA keys by default in FIPS mode.
    • Done
    • None

      What were you trying to do that didn't work?

      • ssh-keygen defaults to generating ed25519 keys
      • ed25519 algorithm is not allowed when FIPS mode is enabled
      • running "ssh-keygen" with no extra options always just errors out when FIPS is enabled

      Please provide the package NVR for which bug is seen:

      openssh-9.6p1-1.el10.2.x86_64
      crypto-policies-20240202-1.git283706d.el10.noarch

      How reproducible:

      always

      Steps to reproduce

      [root@virt-002:~]$ fips-mode-setup --check
      FIPS mode is enabled.
      [root@virt-002:~]$ ssh-keygen
      ED25519 keys are not allowed in FIPS mode
      [root@virt-002:~]$ echo $?
      255
      

      Expected results

      enabling FIPS mode should switch the ssh-keygen's default algorithm to a FIPS-compliant one

      Actual results

      ssh-keygen errors out, unless a FIPS-compliant algorithm is manually selected

              dbelyavs@redhat.com Dmitry Belyavskiy
              rhn-support-phagara Patrik Hagara
              Dmitry Belyavskiy Dmitry Belyavskiy
              Miluse Bezo Konecna Miluse Bezo Konecna
              Jan Fiala Jan Fiala
              Votes:
              1 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: