SSH Key Types - FIPS vs Net::SSH

I’m attempting to use FIPS mode on a centos box. ssh-rsa is blocked in FIPS mode, so I’ve resorted to generating my own key pair (using ssh-keygen -t ecdsa -b 521 -E sha512).

This works, in that vagrant ssh works, and I can ssh in from the command line, but vagrant up fails to connect:
E, [2020-10-21T15:43:35.740624 #96393] ERROR – net.ssh.authentication.key_manager[3ffbe72ad758]: could not load private key file `/Users/andrachekm/centos/ssh.private.key’: Net::SSH::Exception (Cannot decode private key of type ecdsa-sha2-nistp521)

It appears that Net:SSH has decided that since most of the NIST p-curves are “unsafe”, that they should be disabled, but can be turned on by specifying “append_all_supported_algorthims: true” (append_all_supported_algorithms: true). Is there any way to enable this for vagrant?

Or can anyone recommend a nist-supported key format (RSA 4096 with SHA-512 is technically supported, but redhat and centos’s FIPS mode turns it off entirely since it could be abused).

The resultant ssh configuration looks like this:

Ciphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc

MACs hmac-sha2-256,hmac-sha1,hmac-sha2-512

GSSAPIKeyExchange no

KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256

PubkeyAcceptedKeyTypes rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521

CASignatureAlgorithms rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521

:frowning:

Hi there,

There is currently no way to enable it via the Vagrantfile but I have created a new feature request for adding support for the option to the ssh communicator configuration.

Cheers

Thank you. For now I have an ansible configuration that re-enables ssh-rsa (overriding FIPS mode config).