RHEL9 and Key Exchange

Posted by individual101@reddit | linuxadmin | View on Reddit | 1 comments

I have a RHEL9 server I am trying to SSH into. FIPS is enabled because I'm trying to follow the proper STIG procedure and when I try to try to ssh into it from putty, It immediately fails and the logs on the server is showing:

Key exchange type c25519 is not allowed in FIPS mode [preauth]

I am not using any key exchange method yet because I'm working on trying to join this server to AD. That is causing me even more headache because apparently RC4 is enabled in the AD and I am consistently getting a message saying the key allowance is inconsistence because RHEL8 and 9 don't support RC4. That is something I can pick at later though.

[-]

MisterBazz@reddit

I'm having a similar issue with RHEL9. This OP is 2yrs old, but now RHEL9 IS FIPS certified (140-3). Curve25519 is not FIPS 140-2 nor 140-3 compliant.

When registering a system to Red Hat IDM, it inserts two curve25519 entries into the sshd_config file. When you attempt to SSH to said system using SSH keys or PIV, it immediately fails with that exact error message in /var/log/secure.

STIG'd, and FIPS'd RHEL8 systems don't exhibit this behavior, even though those two curve25519 entries are put in the sshd_config file. It's RHEL9 specific. I CAN however SSH from a RHEL8 box to said RHEL9 box, passing my auth creds since the keyexchange isn't used therefore bypassing the curve25519 altogether.