[Bug 2059367] Re: SSH-RSA not supported for Self-SSH in Ubuntu 22.04 FIPS

João Gomes 2059367 at bugs.launchpad.net
Tue May 28 15:12:50 UTC 2024 

Hi Arunaav, apologies for the long delay.

I tried reproducing the issue and was unable to do so both with fips-preview and fips-updates. Is it still occurring?
Regarding the debug log, can you also provide the server debug log?
You shared the client log, which helps excluding the client as the source of the issue.

Thank you

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2059367

Title:
  SSH-RSA not supported for Self-SSH in Ubuntu 22.04 FIPS

Status in openssh package in Ubuntu:
  New

Bug description:
  On a FIPS Enabled Ubuntu 22.04 kernel, we are seeing an issue with self-ssh.
  We created a key with the following steps:
  touch /home/core/.ssh/known_hosts
    ssh-keygen -q -t rsa -f /home/core/.ssh/id_rsa -N '' > /dev/null
    cp /home/core/.ssh/id_rsa.pub /home/core/.ssh/authorized_keys
    chmod 0600 /home/core/.ssh/id_rsa
    chmod 0600 /home/core/.ssh/authorized_keys

  When we try to do a self ssh with the key, the following happens:
  ssh -i .ssh/id_rsa onprem_shell at 10.14.169.25
  Connection closed by 10.14.169.25 port 22

  FIPS status:
  cat /proc/sys/crypto/fips_enabled
  1

  PFB, the ssh dump:

  ssh -v user at 10.14.169.25
  OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1, OpenSSL 3.0.2 15 Mar 2022
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
  debug1: /etc/ssh/ssh_config line 21: Applying options for *
  debug1: FIPS mode initialized
  debug1: Connecting to 10.14.169.25 [10.14.169.25] port 22.
  debug1: Connection established.
  debug1: identity file /root/.ssh/id_rsa type -1
  debug1: identity file /root/.ssh/id_rsa-cert type -1
  debug1: identity file /root/.ssh/id_ecdsa type -1
  debug1: identity file /root/.ssh/id_ecdsa-cert type -1
  debug1: identity file /root/.ssh/id_ecdsa_sk type -1
  debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
  debug1: identity file /root/.ssh/id_ed25519 type -1
  debug1: identity file /root/.ssh/id_ed25519-cert type -1
  debug1: identity file /root/.ssh/id_ed25519_sk type -1
  debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
  debug1: identity file /root/.ssh/id_xmss type -1
  debug1: identity file /root/.ssh/id_xmss-cert type -1
  debug1: identity file /root/.ssh/id_dsa type -1
  debug1: identity file /root/.ssh/id_dsa-cert type -1
  debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1
  debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1 pat OpenSSH* compat 0x04000000
  debug1: Authenticating to 10.14.169.25:22 as 'user'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: ecdh-sha2-nistp256
  debug1: kex: host key algorithm: ssh-rsa
  debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none
  debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  Connection closed by 10.14.169.25 port 22

  hostname -i
  10.14.169.25

  Please note that SSH onto other hosts (both FIPS and non-FIPS) works.
  The only workaround that we have found has been removing the ssh-rsa
  entry from “HostKeyAlgorithms” in “etc/ssh/sshd_config” and restarting
  the SSH service. This issue has neither been encountered in the Ubuntu
  18.04 FIPS nor Ubuntu 20.04 FIPS.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2059367/+subscriptions

More information about the foundations-bugs mailing list