[openssh] don't create RSA1 key in FIPS mode
plautrba
plautrba at fedoraproject.org
Fri Apr 6 19:18:16 UTC 2012
commit 2539b1c4f23fac30cfa110555b47b583f5642bcc
Author: Petr Lautrbach <plautrba at redhat.com>
Date: Fri Apr 6 21:00:10 2012 +0200
don't create RSA1 key in FIPS mode
sshd-keygen | 10 +++++++++-
1 files changed, 9 insertions(+), 1 deletions(-)
---
diff --git a/sshd-keygen b/sshd-keygen
index c34c7a7..67840ef 100644
--- a/sshd-keygen
+++ b/sshd-keygen
@@ -17,8 +17,16 @@ RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
+fips_enabled() {
+ if [ -r /proc/sys/crypto/fips_enabled ]; then
+ cat /proc/sys/crypto/fips_enabled
+ else
+ echo 0
+ fi
+}
+
do_rsa1_keygen() {
- if [ ! -s $RSA1_KEY ]; then
+ if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then
echo -n $"Generating SSH1 RSA host key: "
rm -f $RSA1_KEY
if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
More information about the scm-commits
mailing list