ED25519 keys do not work on FIPS systems (#367429) · Issues · GitLab.org / GitLab · GitLab (original) (raw)

Skip to content

GitLab Next

• • Why GitLab
  • Pricing
  • Contact Sales
  • Explore
• Why GitLab
• Pricing
• Contact Sales
• Explore
• Sign in
• Get free trial

ED25519 keys do not work on FIPS systems

While running QA tests with !92150 (merged) against a FIPS Omnibus system, I found that ED25519 keys do not work on FIPS systems. This seems to be echoed by other sources: https://superuser.com/a/1567730

In https://gitlab.com/gitlab-org/gitlab/-/blob/709d432864d970cf6bbe88daeee31faf5aef829c/lib/gitlab/fips.rb#L14-16, it seems we allow users to add these keys.

We have a few options here:

1. Allow them to be entered into the system, but OpenSSH won't honor them.
2. Drop ed25519 and ed25519_sk from the supported keys list. We might need to consider solving #358985 if we do this, since it's quite annoying to have to manually adjust these settings.

I also wonder whether ecdsa_sk works, although I would hope that it does.

/cc: @robotmay_gitlab