-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-10.0.beta
-
openssh-9.8p1-2.el10.0
-
None
-
None
-
1
-
rhel-sst-security-crypto
-
ssg_security
-
26
-
0.5
-
False
-
-
Yes
-
Crypto24Q3
-
-
Pass
-
Not Needed
-
Automated
-
Enhancement
-
-
Done
-
None
What were you trying to do that didn't work?
- ssh-keygen defaults to generating ed25519 keys
- ed25519 algorithm is not allowed when FIPS mode is enabled
- running "ssh-keygen" with no extra options always just errors out when FIPS is enabled
Please provide the package NVR for which bug is seen:
openssh-9.6p1-1.el10.2.x86_64
crypto-policies-20240202-1.git283706d.el10.noarch
How reproducible:
always
Steps to reproduce
[root@virt-002:~]$ fips-mode-setup --check FIPS mode is enabled. [root@virt-002:~]$ ssh-keygen ED25519 keys are not allowed in FIPS mode [root@virt-002:~]$ echo $? 255
Expected results
enabling FIPS mode should switch the ssh-keygen's default algorithm to a FIPS-compliant one
Actual results
ssh-keygen errors out, unless a FIPS-compliant algorithm is manually selected
- links to
-
RHBA-2024:134333 openssh bug fix and enhancement update
- mentioned on