Untitled attachment

Notices where this attachment appears

1. Embed this notice
   zhenech (zhenech@chaos.social)'s status on Friday, 25-Apr-2025 22:00:41 JST zhenech

   Today in FUCKING FIPS LAND:

   $ ssh-keyscan ippai.die-welt.net
   # ippai.die-welt.net:22 SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u5
   kex_gen_client: Key exchange type c25519 is not allowed in FIPS mode
   # ippai.die-welt.net:22 SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u5
   kex_gen_client: Key exchange type c25519 is not allowed in FIPS mode
   # ippai.die-welt.net:22 SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u5
   kex_gen_client: Key exchange type c25519 is not allowed in FIPS mode

2. Embed this notice
   zhenech (zhenech@chaos.social)'s status on Friday, 25-Apr-2025 22:00:40 JST zhenech

   in reply to

   $ ssh ippai.die-welt.net
   The authenticity of host 'ippai.die-welt.net (188.68.51.252)' can't be established.
   ECDSA key fingerprint is SHA256:V0iohQpWv4KNHI1TXMy/RPcMSc6m0P3id7LpQKLvm9o.
   This key is not known by any other names
   Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
   Warning: Permanently added 'ippai.die-welt.net' (ECDSA) to the list of known hosts.
   user@ippai.die-welt.net: Permission denied (publickey).

3. Embed this notice
   zhenech (zhenech@chaos.social)'s status on Friday, 25-Apr-2025 22:00:38 JST zhenech

   in reply to

   $ cat .ssh/known_hosts
   ippai.die-welt.net ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIBUsKAIaR020Tom56jb/4RSSNTEeH+lKZowCE3r0kjvcONHTv99RimO1V7ke+JAHVBLlHM3R1PjwHfOmzf9CP4=

4. Embed this notice
   zhenech (zhenech@chaos.social)'s status on Friday, 25-Apr-2025 22:00:33 JST zhenech

   in reply to

   @neverpanic But why does `ssh` manage to work, while `ssh-keyscan` does not?

   When I do `ssh -v ippai.die-welt.net` from an EL9-FIPS box, I see
   ```
   debug1: kex: algorithm: ecdh-sha2-nistp256
   debug1: kex: host key algorithm: ecdsa-sha2-nistp256
   ```

   While in `ssh-keyscan -v` I only see c25519, and that's forbidden.