[Bug 3599] New: How to scan for keys when sshd server has fips enabled?

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Aug 5 21:08:54 AEST 2023


https://bugzilla.mindrot.org/show_bug.cgi?id=3599

            Bug ID: 3599
           Summary: How to scan for keys when sshd server has fips
                    enabled?
           Product: Portable OpenSSH
           Version: 9.3p2
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: ssh-keyscan
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sshedi at vmware.com

Created attachment 3712
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3712&action=edit
Server's sshd config

Hi,

I have an sshd server which is fips enabled and client is non fips.

How to get the server public keys using ssh-keyscan in this case?

I tried running keyscan in the server itself and even that is failing.

```
root at ph5dev:~ # ssh-keyscan localhost
# localhost:22 SSH-2.0-OpenSSH_9.3
# localhost:22 SSH-2.0-OpenSSH_9.3
# localhost:22 SSH-2.0-OpenSSH_9.3
# localhost:22 SSH-2.0-OpenSSH_9.3
# localhost:22 SSH-2.0-OpenSSH_9.3
```

This also returns nothing.

The work around for this issue is, adding below line (or some other
fips complaint cipher) to /etc/ssh/sshd_config

```
Ciphers aes128-ctr
```

AFAIK, nothing can be done from client side to make it work. Please let
me know if there is anyway to get it working.

Proposed solutions:

- ssh-keyscan should use configs from /etc/ssh/ssh_config or
$HOME/.ssh/config like ssh does

- ssh-keyscan should accept "-c <cipher>" arg to do negotiation with
server.

- A conf file of its own for ssh-keyscan.

Ultimately, ssh-keyscan should work without any modifications in server
and little or no change at client side.

PFA for my server config.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list