You will see this warning in your Cerberus log whever a client is using an RSA public key for client authentication that does not meet the security requirements for FIPS 140-2. Some RSA public keys generated by older versions of the popular PuttyGen utility are considered insecure by today's security standards. If your client is using one of these insecure keys, you will see this warning in your Cerberus on-screen log or text log file log:
createPublicKey: EVP_PKEY_public_check failed for RSA key: error:020000B2:rsa routines::pub exponent out of range
Navigate to the user's account in User Manager, or, for AD Users, check the group in 'User Manager' > 'Groups' and test the public key attached to the user or group.
You may get this failure:
Unable to read public key file.
The file does not appear to contain a public key in any recognized format.
The public key file can be in RFC 4716 SSH format, OpenSSH v2 format, or from a PEM or DER encoded certificate.
Reported errors:
SSH format error:
OpenSSH format error:
Unable to retrieve SSH key from encoded data
SSL format error: Error reading PEM certificate file: no start line
The above warning indicates a user is authenticating with an SSH RSA key generated using a release of PuttyGen older than 0.75.
How to Resolve this Warning
If you see this warning, you may need to have the user create a new public / private key pair using a release of PuttyGen 0.75 or higher. If you do not, and you have FIPS mode turned on in 'Server Manager' > 'Security' > 'Server Key Pair', authentication will be rejected as insecure once Cerberus upgrades to OpenSSL 3.
Comments
0 comments
Please sign in to leave a comment.