DSA keys are not allowed in FIPS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
uvtool (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
if running on a FIPS system I get:
+ uvt-kvm create --memory 2048 --cpu 4 --disk 16 --password=ubuntu bionic-kvm release=bionic arch=amd64 label=daily
Warning: using --password from the command line is not secure and should be used for debugging only.
DSA keys are not allowed in FIPS mode^M
Traceback (most recent call last):
File "/usr/bin/uvt-kvm", line 35, in <module>
uvtool.
File "/usr/lib/
main(*args, **kwargs)
File "/usr/lib/
args.
File "/usr/lib/
ssh_host_keys, ssh_known_hosts = uvtool.
File "/usr/lib/
_keygen(
File "/usr/lib/
'-C', 'root@localhost'
File "/usr/lib/
raise CalledProcessEr
subprocess.
I also was told that elliptic curves are disallowed.
Could we switch the default to the common RSA to make this work in a FIPS environment?
Related branches
- Robie Basak: Needs Resubmitting
- Ubuntu Sponsors: Pending requested
-
Diff: 86 lines (+39/-0) (has conflicts)4 files modifiedsetup.py (+5/-0)
template-emu-riscv64.xml (+21/-0)
uvtool/libvirt/__init__.py (+8/-0)
uvtool/libvirt/kvm.py (+5/-0)
- Robie Basak: Needs Fixing
-
Diff: 26 lines (+8/-1)1 file modifieduvtool/ssh.py (+8/-1)
We iterate over
KEY_TYPES = ['rsa', 'dsa', 'ecdsa', 'ed25519']
maybe we can ignore errors as long as one works?