Bug 674614

Summary: SSH connections fail using publickey authentication with FIPS enabled
Product: Red Hat Enterprise Linux 5 Reporter: David Chuha <dchuha>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.6CC: jwest, mpoole
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-08 08:20:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Chuha 2011-02-02 16:16:05 UTC 
Description of problem:
If FIPS 140-2 compliance is enabled on the server, the connection will fail when using publickey authentication with the latest openssh under 5.6.  The connection will succeed if FIPS is disabled or if running the previous version of openssh.

The connection will simply die with a message of:
Connection closed by xxx.xxx.xxx.xxx

No error is logged and no further error information is given by enabling verbosity on the client or server.

Version-Release number of selected component (if applicable):
openssh-4.3p2-72.el5

How reproducible:
Always

Steps to Reproduce:
1.  Enable FIPS compliance as described in https://access.redhat.com/kb/docs/DOC-39230
2.  Make sure the server is running openssh-4.3p2-41.el5_5.1.  All other packages may be up to date.
3.  Authenticate using publickey.  Verify successful connection.
4.  Update to openssh-4.3p2-72.el5.  Connection now fails using publickey.  Other authentication methods will continue to work.
  
Actual results:
Connection fails


Expected results:
Connection succeeds


Additional info:
Comment 1 David Chuha 2011-02-09 15:59:34 UTC 
This and bug 674747 are duplicates.
Comment 2 Jan F. Chadima 2011-03-08 08:20:53 UTC 

*** This bug has been marked as a duplicate of bug 674747 ***