With FIPS enabled, SSH using public key authentication unexpectedly prompts for password
Applies to
- ONTAP 9.3 and later
- Federal Information Processing Standard (FIPS)
- Public key authentication
Issue
- Unexpected password prompt for account using publickey authentication
- FIPS recently enabled on the cluster
- SSH attempt reports errors (these are extracted from full output)
root@linuxhost:/root/.ssh# ssh -vvv admin@cluster01
OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
debug2: host key algorithms: ecdsa-sha2-nistp256
debug1: Will attempt key: /root/.ssh/cluster01 RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: input_userauth_banner
Access restricted to authorized users
debug3: receive packet: type 51 ---Packet type 51 indicates SSH user authentication failure
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
- Logs in
/mroot/etc/log/messages.log
:
[daemon_xinetd:info:6650] START: ssh pid=97704 from=::ffff:<client_ip> vsid=-1 role=0x20
[auth_sshd:info:97704] mm_answer_pwnamallow: Got passwd creds user (username), homedir (/var/home/username), uid (1008) from FILES
[auth_sshd:error:97704] error: get_socket_address: getnameinfo 4 failed: hostname nor servname provided, or not known
[auth_sshd:info:97704] userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
[auth_sshd:info:97704] Connection closed by <client_ip> port ##### [preauth]
[daemon_xinetd:info:6650] EXIT: ssh status=255 pid=97704 duration=28(sec)