Details
-
Story
-
Resolution: Obsolete
-
Normal
-
None
-
rhel-9.1.0
-
sst_security_crypto
-
ssg_security
-
0.2
-
False
-
-
Crypto23Q4
-
If docs needed, set a value
-
All
Description
Description of problem:
After enabling FIPS on a system, the minimal length for RSA keys is 2048 bits.
If the user's RSA key length is 1024 bits, the following non-explicit/non-helpful message gets printed:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
debug1: Server accepts key: /root/.ssh/id_rsa RSA SHA256:mZrafjEjVNCD8qhXqmUf+D6JRUtW1JnkBVcXnDAwr30
debug3: sign_and_send_pubkey: RSA SHA256:mZrafjEjVNCD8qhXqmUf+D6JRUtW1JnkBVcXnDAwr30
debug3: sign_and_send_pubkey: signing using rsa-sha2-256 SHA256:mZrafjEjVNCD8qhXqmUf+D6JRUtW1JnkBVcXnDAwr30
debug1: identity_sign: sshkey_sign: error in libcrypto
sign_and_send_pubkey: signing failed for RSA "/root/.ssh/id_rsa": error in libcrypto
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
It would be great to print details on the error, instead of getting a generic error, which makes it hard to troubleshoot.
Version-Release number of selected component (if applicable):
openssh-clients
How reproducible:
Always
Steps to Reproduce:
1. Create a 1024 bits RSA key
2. Switch to FIPS
3. Try connecting
Actual results:
Generic error message
Expected results:
"Invalid key length" or similar message
Additional info:
To reproduce, make sure crypto-policies-20220223-1.git5203b41.el9_0.1.noarch is used, because this package doesn't enforce 2048 bits for RSA (newer packages do).