Request: Upgrade openSSH version to enable FIDO2 backed ed25519 ssh-keys

[keysie]

On xcp-ng version 8.3 (fully updated) FIDO backed SSH-keys in the ed25519_sk_rk format are not recognized by the host. This is probably due to the use of old-ish versions of openSSH. I think OpenSSH 8.2/8.2p1 and above would support this feature.

For reference my versions:

# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
# uname -a
Linux hostname 4.19.0+1 #1 SMP Wed Oct 9 13:59:53 CEST 2024 x86_64

I am not well versed in the details of openSSH and its interactions with openSSL. From what I found online it seems that getting openSSL from 1.0.2k-fips to a more modern version is hard on CentOS (source). Maybe it is possible however to keep the openSSL library and only bump openSSH?

[stormi]

CCing @bleader (security) and @ydirson (OS packaging)

[bleader]

We discussed it internally and I forgot to answer here. Currently we're in the process of looking to upgrade ssh in 8.3, but as there is a CVE related to FIDO specifically, we need to move at least to openssh 8.9. No promises yet, that's under investigation.

[keysie]

Thanks for the update. I appreciate it.