https://bugzilla.mindrot.org/show_bug.cgi?id=3599
Bug ID: 3599 Summary: How to scan for keys when sshd server has fips enabled? Product: Portable OpenSSH Version: 9.3p2 Hardware: All OS: Linux Status: NEW Severity: critical Priority: P5 Component: ssh-keyscan Assignee: unassigned-b...@mindrot.org Reporter: ssh...@vmware.com Created attachment 3712 --> https://bugzilla.mindrot.org/attachment.cgi?id=3712&action=edit Server's sshd config Hi, I have an sshd server which is fips enabled and client is non fips. How to get the server public keys using ssh-keyscan in this case? I tried running keyscan in the server itself and even that is failing. ``` root@ph5dev:~ # ssh-keyscan localhost # localhost:22 SSH-2.0-OpenSSH_9.3 # localhost:22 SSH-2.0-OpenSSH_9.3 # localhost:22 SSH-2.0-OpenSSH_9.3 # localhost:22 SSH-2.0-OpenSSH_9.3 # localhost:22 SSH-2.0-OpenSSH_9.3 ``` This also returns nothing. The work around for this issue is, adding below line (or some other fips complaint cipher) to /etc/ssh/sshd_config ``` Ciphers aes128-ctr ``` AFAIK, nothing can be done from client side to make it work. Please let me know if there is anyway to get it working. Proposed solutions: - ssh-keyscan should use configs from /etc/ssh/ssh_config or $HOME/.ssh/config like ssh does - ssh-keyscan should accept "-c <cipher>" arg to do negotiation with server. - A conf file of its own for ssh-keyscan. Ultimately, ssh-keyscan should work without any modifications in server and little or no change at client side. PFA for my server config. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs