You will see this warning in your Cerberus log whever a client is using an RSA public key for client authentication that does not meet the security requirements for FIPS 140-2. Some RSA public keys generated by older versions of the popular PuttyGen utility are considered insecure by today's security standards. If your client is using one of these insecure keys, you will see this warning in your Cerberus on-screen log or text log file log:
RSA public key from ('<username>' or '<path to key>') uses a weak, FIPS-invalid exponent. Regenerate the keys to
improve security and compliance.
See https://www.cerberusftp.com/rsa-public-keys-with-weak-exponents/ for details.
The above warning indicates a user is authenticating with an SSH RSA key generated using a release of PuttyGen older than 0.75.
In the example above, the warnings indicate the username ('pubkeyonly' in the example) and path to the public key ('C:\git\temp\ECRI_External_ssh_rsa.pub' in the example) for your reference so you can find the affected user and where their current key is stored on your server.
How to Resolve this Warning
If you see this warning, you may need to have the user create a new public / private key pair using a release of PuttyGen 0.75 or higher. If you do not, and you have FIPS mode turned on in 'Server Manager' > 'Security' > 'Server Key Pair', authentication will be rejected as insecure once Cerberus upgrades to OpenSSL 3.
Comments
0 comments
Please sign in to leave a comment.