[yocto] [meta-openssl102-fips][PATCH 10/16] openssh/sshd_check_keys: don't generate ED25519 host keys in FIPS mode
Hongxu Jia
hongxu.jia at windriver.com
Wed Sep 25 00:24:07 PDT 2019
Run sshd_check_keys failed:
...
2019-09-22T09:59:10.878738+00:00 qemux86-64 sshd_check_keys[419]: generating ssh ED25519 host key...
2019-09-22T09:59:10.897617+00:00 qemux86-64 sshd_check_keys[419]: ED25519 keys are not allowed in FIPS mode
...
If fips mode enabled (existence of "/etc/system-fips"), don't generate ED25519 host
keys in FIPS mode
Refers Fedora:
https://src.fedoraproject.org/rpms/openssh/c/00c7b7543973f237b79ee87ca697c08b71954d35
https://src.fedoraproject.org/rpms/openssh/c/3b7c8620a1df976c1c09553c1c7b99ce492d290b
Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
---
recipes-connectivity/openssh/openssh/sshd_check_keys | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys b/recipes-connectivity/openssh/openssh/sshd_check_keys
index 1931dc7..338531d 100644
--- a/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -71,6 +71,10 @@ for key in ${HOST_KEYS} ; do
generate_key $key ecdsa
;;
*_ed25519_key)
+ FIPS=/etc/system-fips
+ if [[ -r "$FIPS" ]]; then
+ continue
+ fi
echo " generating ssh ED25519 host key..."
generate_key $key ed25519
;;
--
2.7.4
More information about the yocto
mailing list