I’m attempting to use FIPS mode on a centos box. ssh-rsa is blocked in FIPS mode, so I’ve resorted to generating my own key pair (using ssh-keygen -t ecdsa -b 521 -E sha512).
This works, in that vagrant ssh
works, and I can ssh in from the command line, but vagrant up
fails to connect:
E, [2020-10-21T15:43:35.740624 #96393] ERROR – net.ssh.authentication.key_manager[3ffbe72ad758]: could not load private key file `/Users/andrachekm/centos/ssh.private.key’: Net::SSH::Exception (Cannot decode private key of type ecdsa-sha2-nistp521)
It appears that Net:SSH has decided that since most of the NIST p-curves are “unsafe”, that they should be disabled, but can be turned on by specifying “append_all_supported_algorthims: true” (append_all_supported_algorithms: true). Is there any way to enable this for vagrant?
Or can anyone recommend a nist-supported key format (RSA 4096 with SHA-512 is technically supported, but redhat and centos’s FIPS mode turns it off entirely since it could be abused).