Description of problem:
Customers connecting to a FIPS system using PuTTY client cannot connect because "ssh-rsa" is not part of the PubkeyAcceptedKeyTypes option line passed to sshd in /etc/crypto-policies/back-ends/opensshserver.config.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Enable FIPS on a RHEL 8 system
2. Try connecting with PuTTY using a generated key from PuTTY client (defaults to "ssh-rsa")
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
No issue connecting
That would enable SHA1 signatures and we do not want to do that.
They should be able to use ECDSA keys with PuTTY if RSA-SHA256 signatures are not supported by it.
Jakub, can you please confirm what I am saying above?