Bug 1812844 - FIPS: add "ssh-rsa" to PubkeyAcceptedKeyTypes for openssh-server
Summary: FIPS: add "ssh-rsa" to PubkeyAcceptedKeyTypes for openssh-server
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: crypto-policies
Version: 8.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-12 10:36 UTC by Renaud Métrich
Modified: 2020-03-16 13:13 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-12 11:14:41 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4906221 0 None None None 2020-03-16 13:13:20 UTC

Description Renaud Métrich 2020-03-12 10:36:06 UTC
Description of problem:

Customers connecting to a FIPS system using PuTTY client cannot connect because "ssh-rsa" is not part of the PubkeyAcceptedKeyTypes option line passed to sshd in /etc/crypto-policies/back-ends/opensshserver.config.


Version-Release number of selected component (if applicable):

crypto-policies-20190807-1.git9b1477b.el8.noarch


How reproducible:

Always


Steps to Reproduce:
1. Enable FIPS on a RHEL 8 system
2. Try connecting with PuTTY using a generated key from PuTTY client (defaults to "ssh-rsa")

Actual results:

userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]


Expected results:

No issue connecting

Comment 1 Tomas Mraz 2020-03-12 11:14:41 UTC
That would enable SHA1 signatures and we do not want to do that.
They should be able to use ECDSA keys with PuTTY if RSA-SHA256 signatures are not supported by it.

Jakub, can you please confirm what I am saying above?


Note You need to log in before you can comment on or make changes to this bug.