Relax FIPS default algorithms
Previously we set the gitlab-sshd algorithms to use FIPS-approved
algorithms from
labkit!207 (merged) in order to
prevent panics due to the use of ED25519 algorithms, but this might
break existing installations still relying on legacy public key
algorithms, such as ssh-rsa (RSA with SHA1 hash).
Relax the requirements for now until we have a proper deprecation path forward. Admins that care about locking down the allowed public key algorithms can do so via the configuration settings.
To test this, you must use a Linux system to build gitlab-sshd with FIPS_MODE=1 make.
Either use a Linux system run gitlab-sshd with GOLANG_FIPS=1 or use a FIPS-enabled host. Then ssh -v localhost -p 2222 to see server-sig-algs.
Before:
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384>After:
debug1: kex_input_ext_info: server-sig-algs=<sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss>Edited by Stan Hu