[ssh_x509] ssh handshake failed in FIPS mode

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Fri Jul 19 22:39:21 EEST 2019


Hi,

ssh_x509 at roumenpetrov.info wrote:
> Hi
>
>    In continuation of this , we have one more requirement. What happens
> is - we need to support both the algorithm (
>
> [SNIP]
> PubkeyAlgorithms x509v3-sign-rsa
> X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
>
> and
> PubkeyAlgorithms x509v3-rsa2048-sha256
> X509KeyAlgorithm x509v3-rsa2048-sha256,rsa2048-sha256
> <<<<<<
>
> Is there any way we can achieve this?

First X509KeyAlgorithmis quite specific configuration. Its intended use 
is compatibility with third party applications.

PubkeyAlgorithms could be used on "Host" basis. I mean that in general ("Host *" as last section in configuration) you could use x509v3-rsa2048-sha256 and for certain hosts (third party) to restrict


Sample (client config):
...
Host *ssh.com

PubkeyAlgorithms x509v3-sign-rsa
X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1


Host *vandyke.com

PubkeyAlgorithms x509v3-sign-rsa
X509KeyAlgorithm x509v3-sign-rsa,rsa-md5

Host*
PubkeyAlgorithms x509v3-rsa2048-sha256
....

Remark: Today Vandyke may use "rsa-sha1" - no idea. For sure recent company software supportsx509v3-ssh-rsa and x509v3-ssh-dss.

So with above you support all.


On server side. X509KeyAlgorithm  is "global" option similar as PubkeyAlgorithms. It cannot be in Match directive.
If this is the case we could discuss in addition.


> Thanks
> GKS
Regards,
Roumen



More information about the ssh_x509 mailing list