Loading...
Loading...
+++ This bug was initially created as a clone of Bug #2087121 +++ Description of problem: Based on NIST Special Publication 800-131A (Revision 2) the length of the modulus n shall be 2048 bits or more for RSA. This was enforced in RHEL-8 and ssh-keygen refused to generate RSA keys smaller than 2048 bits in FIPS. However, this no longer works in RHEL-9.0. Version-Release number of selected component (if applicable): openssh-8.0p1-13.el8 How reproducible: 100% in FIPS mode Steps to Reproduce: 1. Enable FIPS mode fips-mode-setup --enable && reboot 2. Generate SSH RSA key of size smaller than 2048 bits. ssh-keygen -b 1024 -t rsa -N '' -f /root/.ssh/id_rsa Actual results: Generating public/private rsa key pair. Your identification has been saved in /root/.ssh/id_rsa Your public key has been saved in /root/.ssh/id_rsa.pub The key fingerprint is: SHA256:VEflCzzZ1uaM85mZn1z3uQakLRcnTJXN6br+rBEfCsc root@kvm-03-guest25.hv2.lab.eng.bos.redhat.com The key's randomart image is: --[RSA 1024]--- ..o.oo+ . o = +o . B = o . .O O S .+EO.o oo=+o* ooo*+ .+.B .o+B+ ---[SHA256]---- Expected results: rsa_generate_private_key: the key length might be unsupported by FIPS mode approved key generation method sshkey_generate failed
Done-Errata
Red Hat Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.