Skip to content

ED25519 keys do not work on FIPS systems

While running QA tests with !92150 (merged) against a FIPS Omnibus system, I found that ED25519 keys do not work on FIPS systems. This seems to be echoed by other sources: https://superuser.com/a/1567730

In https://gitlab.com/gitlab-org/gitlab/-/blob/709d432864d970cf6bbe88daeee31faf5aef829c/lib/gitlab/fips.rb#L14-16, it seems we allow users to add these keys.

We have a few options here:

  1. Allow them to be entered into the system, but OpenSSH won't honor them.
  2. Drop ed25519 and ed25519_sk from the supported keys list. We might need to consider solving #358985 if we do this, since it's quite annoying to have to manually adjust these settings.

I also wonder whether ecdsa_sk works, although I would hope that it does.

/cc: @robotmay_gitlab