FIPS mode doesn't allow ssh-ed25519 used by podman-bootc

[matusmarhefka]

When FIPS mode is enabled and crypto policy is set to FIPS the ed25519 ssh key used by the podman-bootc tool is not allowed and therefore podman-bootc is unable to ssh into such system. The tool needs to be updated to use FIPS approved ssh key to be able to access FIPS-enforcing systems.

For more details see https://access.redhat.com/solutions/3643252

[germag]

Thanks for reporting this. I'll consider this a regression, we used to create a rsa ssh key per VM, but later we switched to use the podman-machine ssh key for simplicity.

I'm working on it

[cgwalters]

I agree this is a problem. What I feel we need to have a real debate on is where podman-bootc stops and where more generic installation flows take over.

In particular with e.g. virt-manager it's totally configurable today how the SSH keys work, etc.

What we're missing though is better virt-manager sugar and optimizations. I filed https://github.com/virt-manager/virt-manager/issues/739 to track that.

[germag]

@matusmarhefka could you try https://github.com/containers/podman-bootc/pull/71 if that solves the problem?

[matusmarhefka]

@germag Can you fix the packit jobs first so I can use the built RPM from Packit for testing?

[germag]

@germag Can you fix the packit jobs first so I can use the built RPM from Packit for testing?

working on it, but not sure what is happening, it works for me locally

[germag]

@germag Can you fix the packit jobs first so I can use the built RPM from Packit for testing?

@matusmarhefka I fixed the issue with our CI, so now you will be able to get the rpms

sorry for taking too long, I hate go dependency management :)