Problem connecting to FIPS compliant hosts using Vault ssh CA certificate

Klawfinger · January 3, 2022, 5:25pm

I’m having trouble connecting via SSH to all my FIPS compliant hosts when using certificate issued by vault and the signed public key. On the SSH server side the error displayed is:

" Using arbitrary primes is not allowed in FIPS mode. Falling back to known groups."

The cert has the following properties:
Type: ssh-rsa-cert-v01@openssh.com user certificate
Public key: RSA-CERT SHA256
Signing CA: RSA SHA256 (using rsa-sha2-256)

Is there any workaround to this problem (without disabling FIPS security)?

aram · January 3, 2022, 8:09pm

Doesn’t the CA have to be FIPS compliant to generate FIPS compliant certificates?

From my RedHat days, you could not use the standard keys for FIPS, we had to use a generator that didn’t use MD5 as it’s base sig. That could be one of the reasons why it isn’t working.