As part of our continuous effort to pursue security best practices, Cerberus FTP Server now issues a security warning when a RSA public key uses a weak, FIPS-invalid exponent.

Once Cerberus moves to OpenSSL 3, if you have FIPS enabled and you have SFTP users with RSA public keys generated using PuttyGen before version 0.75, authentication by those users may no longer be supported.

To help admnistrators prepare, Cerberus now generates a new log message to indicate the user and public key path of any affected public keys.

RSA public key from ('<username>' or '<path to key>') uses a weak, FIPS-invalid exponent. Regenerate the keys to improve security and compliance.
See https://www.cerberusftp.comhttps://support.cerberusftp.com/hc/en-us/articles/6496089407251-I-see-the-warning-RSA-public-key-from-uses-a-weak-FIPS-invalid-exponent-Regenerate-the-keys-to-improve-security-and-compliance-in-my-logs-when-a-user-is-authenticating-with-SSH-key-pair-What-does-it-mean- for details.

More information is available via a dedicated Cerberus Support page including a powershell script that scans all native users for affected public keys.