[openssh] don't create RSA1 key in FIPS mode

Fri Apr 6 19:18:16 UTC 2012

commit 2539b1c4f23fac30cfa110555b47b583f5642bcc
Author: Petr Lautrbach <plautrba at redhat.com>
Date:   Fri Apr 6 21:00:10 2012 +0200

    don't create RSA1 key in FIPS mode

 sshd-keygen |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)
---

diff --git a/sshd-keygen b/sshd-keygen
index c34c7a7..67840ef 100644
--- a/sshd-keygen
+++ b/sshd-keygen
@@ -17,8 +17,16 @@ RSA1_KEY=/etc/ssh/ssh_host_key
 RSA_KEY=/etc/ssh/ssh_host_rsa_key
 DSA_KEY=/etc/ssh/ssh_host_dsa_key
 
+fips_enabled() {
+	if [ -r /proc/sys/crypto/fips_enabled ]; then
+		cat /proc/sys/crypto/fips_enabled
+	else
+		echo 0
+	fi
+}
+
 do_rsa1_keygen() {
-	if [ ! -s $RSA1_KEY ]; then
+	if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then
 		echo -n $"Generating SSH1 RSA host key: "
 		rm -f $RSA1_KEY
 		if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
