[Bug 3599] New: How to scan for keys when sshd server has fips enabled?
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Aug 5 21:08:54 AEST 2023
https://bugzilla.mindrot.org/show_bug.cgi?id=3599
Bug ID: 3599
Summary: How to scan for keys when sshd server has fips
enabled?
Product: Portable OpenSSH
Version: 9.3p2
Hardware: All
OS: Linux
Status: NEW
Severity: critical
Priority: P5
Component: ssh-keyscan
Assignee: unassigned-bugs at mindrot.org
Reporter: sshedi at vmware.com
Created attachment 3712
--> https://bugzilla.mindrot.org/attachment.cgi?id=3712&action=edit
Server's sshd config
Hi,
I have an sshd server which is fips enabled and client is non fips.
How to get the server public keys using ssh-keyscan in this case?
I tried running keyscan in the server itself and even that is failing.
```
root at ph5dev:~ # ssh-keyscan localhost
# localhost:22 SSH-2.0-OpenSSH_9.3
# localhost:22 SSH-2.0-OpenSSH_9.3
# localhost:22 SSH-2.0-OpenSSH_9.3
# localhost:22 SSH-2.0-OpenSSH_9.3
# localhost:22 SSH-2.0-OpenSSH_9.3
```
This also returns nothing.
The work around for this issue is, adding below line (or some other
fips complaint cipher) to /etc/ssh/sshd_config
```
Ciphers aes128-ctr
```
AFAIK, nothing can be done from client side to make it work. Please let
me know if there is anyway to get it working.
Proposed solutions:
- ssh-keyscan should use configs from /etc/ssh/ssh_config or
$HOME/.ssh/config like ssh does
- ssh-keyscan should accept "-c <cipher>" arg to do negotiation with
server.
- A conf file of its own for ssh-keyscan.
Ultimately, ssh-keyscan should work without any modifications in server
and little or no change at client side.
PFA for my server config.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list