Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-88565

ssh-keyscan in FIPS mode offers to negotiate curve25519, then fails to actually use it

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • CentOS Stream 9, CentOS Stream 10
    • openssh
    • No
    • Low
    • rhel-security-crypto-diamonds
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      On a system in FIPS mode, when I use ssh-keyscan against a system that offers the curve25519-sha256 key exchange, it fails to detect any hostkeys, because it negotiates this key exchange method but fails to actually use it due to https://gitlab.com/redhat/centos-stream/rpms/openssh/-/blob/c9s/openssh-7.7p1-fips.patch#L574.

      This seems to happen because ssh-keyscan sends an offer to use curve25519-sha256, but it should not.

      For example:

      [root@rhel-10-1-20250423-1 ~]# ssh-keyscan lcy-hs.neverpanic.de
# lcy-hs.neverpanic.de:22 SSH-2.0-OpenSSH_8.7
kex_gen_client: Key exchange type c25519 is not allowed in FIPS mode
# lcy-hs.neverpanic.de:22 SSH-2.0-OpenSSH_8.7
# lcy-hs.neverpanic.de:22 SSH-2.0-OpenSSH_8.7
kex_gen_client: Key exchange type c25519 is not allowed in FIPS mode
# lcy-hs.neverpanic.de:22 SSH-2.0-OpenSSH_8.7
kex_gen_client: Key exchange type c25519 is not allowed in FIPS mode
# lcy-hs.neverpanic.de:22 SSH-2.0-OpenSSH_8.7

      [root@rhel-10-1-20250423-1 ~]# ssh-keyscan -vv lcy-hs.neverpanic.de |& grep -A2 'local client KEXINIT proposal'
debug2: local client KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

      The local KEXINIT proposal should not contain non-FIPS algorithms on a machine in FIPS mode. It should probably also not probe for hostkey algorithms that it is not willing to verify.

      Expected outcome:

      [root@rhel-10-1-20250423-1 ~]# ssh-keyscan lcy-hs.neverpanic.de
# lcy-hs.neverpanic.de:22 SSH-2.0-OpenSSH_8.7
lcy-hs.neverpanic.de ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPnYpoIq7xRLjVsG1GseKSNIoxP9QSXt/oghBGi25rK5BzhfkIoDHhvrlIb40XJ/PzFfbUGmnRQrR2LLzyn6ivo=
# lcy-hs.neverpanic.de:22 SSH-2.0-OpenSSH_8.7
# lcy-hs.neverpanic.de:22 SSH-2.0-OpenSSH_8.7
# lcy-hs.neverpanic.de:22 SSH-2.0-OpenSSH_8.7
lcy-hs.neverpanic.de ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmzzrvj9RAsiQxvOw+S9hNa28CIWDeBhnf2fO1N3+W2rEe9O2+6irCIZkt1Z7Z7bm+GwHRZo1cda4Jhr1uaDthy6OuiwmC9qKyOIIq8IB4XetPNyhvuTTvPDS/3hk3zzcBjofVXXJ6nGxHIaWdEUjnGhsYZUiQ5vfuJowxRU2e8gZpOfFnaMPo7G+9LtXEpMfwJrmm+tROZ+VUfbuwvvfDkSW5vHQE07v9HSaEOprgerI7vlfL1PYizoXOTB/x/3ZAvG8Ld3V2q2rShDKY9DHpMS/GcChhfUbdASUhnTBW96i52LPXUocZlfSvA+NFhaWa/cJrJuYrAky5UCP9diEo2vz3czNIvGiUEJEDvosRHwYQaNMZSZXx3FCEIuSgnjrIbun8LvBTkYGo++7LPi5VvCp/m7GdeAm6G73xRhaffXltS7kev1vXVfIo6QtQjMcP4lW85AjldeZKqgE+6hfKNdFPXdvlrzi3vLk6W2VEHUiuGR3dnCYGkeBo3+4v3SU=

              dbelyavs@redhat.com Dmitry Belyavskiy
              cllang@redhat.com Clemens Lang
              Dmitry Belyavskiy Dmitry Belyavskiy
              Miluse Bezo Konecna Miluse Bezo Konecna
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: