SSH-RSA not supported for Self-SSH in Ubuntu 22.04 FIPS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
On a FIPS Enabled Ubuntu 22.04 kernel, we are seeing an issue with self-ssh.
We created a key with the following steps:
touch /home/core/
ssh-keygen -q -t rsa -f /home/core/
cp /home/core/
chmod 0600 /home/core/
chmod 0600 /home/core/
When we try to do a self ssh with the key, the following happens:
ssh -i .ssh/id_rsa onprem_
Connection closed by 10.14.169.25 port 22
FIPS status:
cat /proc/sys/
1
PFB, the ssh dump:
ssh -v user@10.14.169.25
OpenSSH_8.9p1 Ubuntu-
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: FIPS mode initialized
debug1: Connecting to 10.14.169.25 [10.14.169.25] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.
debug1: identity file /root/.
debug1: identity file /root/.
debug1: identity file /root/.
debug1: identity file /root/.
debug1: identity file /root/.
debug1: identity file /root/.
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.
debug1: Local version string SSH-2.0-
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-
debug1: Authenticating to 10.14.169.25:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: expecting SSH2_MSG_
Connection closed by 10.14.169.25 port 22
hostname -i
10.14.169.25
Please note that SSH onto other hosts (both FIPS and non-FIPS) works. The only workaround that we have found has been removing the ssh-rsa entry from “HostKeyAlgorithms” in “etc/ssh/
description: | updated |
Hi Arunaav, thank you for your report.
How did you install the FIPS packages?
Can you also provide the server log with debug enabled?