-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-8.6.0
-
openssh-8.0p1-21.el8
-
Normal
-
1
-
sst_security_crypto
-
ssg_security
-
26
-
1
-
QE ack
-
False
-
-
No
-
Crypto24Q1
-
-
Pass
-
Automated
-
Release Note Not Required
-
-
All
-
None
+++ This bug was initially created as a clone of Bug #2087121 +++
Description of problem:
Based on NIST Special Publication 800-131A (Revision 2) the length of the modulus n shall be 2048 bits or more for RSA. This was enforced in RHEL-8 and ssh-keygen refused to generate RSA keys smaller than 2048 bits in FIPS. However, this no longer works in RHEL-9.0.
Version-Release number of selected component (if applicable):
openssh-8.0p1-13.el8
How reproducible:
100% in FIPS mode
Steps to Reproduce:
1. Enable FIPS mode
- fips-mode-setup --enable && reboot
2. Generate SSH RSA key of size smaller than 2048 bits.
- ssh-keygen -b 1024 -t rsa -N '' -f /root/.ssh/id_rsa
Actual results:
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:VEflCzzZ1uaM85mZn1z3uQakLRcnTJXN6br+rBEfCsc root@kvm-03-guest25.hv2.lab.eng.bos.redhat.com
The key's randomart image is:
--[RSA 1024]---
| ..o.oo+ |
| . o = +o |
| . B = o |
| . .O O |
| S .+EO.o |
| oo=+o* |
| ooo*+ |
| .+.B |
| .o+B+ |
---[SHA256]----
Expected results:
rsa_generate_private_key: the key length might be unsupported by FIPS mode approved key generation method
sshkey_generate failed
- external trackers
- links to
-
RHBA-2023:123644
openssh bug fix and enhancement update
- mentioned on
