Last Modified: Jan 09, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2
Opened: Oct 18, 2024 Severity: 2-Critical
In FIPS mode, SSH public key authentication using RSA keys is disabled. This restriction applies only to authentication methods that involve copying a generated RSA key to the target system for passwordless authentication. Other authentication mechanisms, such as those utilizing KeyAlgorithms and HostKeyAlgorithms, are not impacted by this limitation. NOTE: Please reboot your BIG-IP system if FIPS is not up.
FIPS-Enabled Environments: SSH public key authentication using RSA keys will not work in FIPS mode, irrespective of the key length or type (for example, rsa-sha2-256 or rsa-sha2-512). Users relying on this authentication method must transition to alternative algorithms. Non-FIPS Environments: This issue does not impact environments where FIPS mode is disabled. RSA key-based authentication remains fully functional in these scenarios.
-- FIPS mode enabled -- SSH public key authentication using RSA keys
For users in FIPS mode: Generate a new key pair using supported ECDSA algorithms, such as: ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 Deploy the public key to the target systems for authentication. Command to generate an ECDSA key pair (for example, for nistp256): ssh-keygen -t ecdsa -b 256 -f ~/.ssh/id_ecdsa
None