0

I'm trying to connect to a RHEL9 VM using ssh.

When attempting, it gives the error:

Connection closed by xxx.xxx.xxx.xxx port 22

I checked the /var/logs/secure log and found the following error

Connection from xxx.xxx.xxx.xxx port 65527 on xxx.xxx.xxx.xxx port 22 rdomain
input_kex_gen_init: key exchange type c25519 is not allowed in FIPS mode [preauth]
ssh_dispatch_run_fatal: Connection from xxx.xxx.xxx.xxx port 65527: invalid argument [preauth]

I've checked the firewall to allow port 22, I've checked the sshd_config and it matched a known good. I have no idea what could be blocking me. Any help would be greatly appreciated.

Improve this question
4
  • Check this post. The suggested solution is # update-crypto-policies --set FIPS:AD-SUPPORT and reboot. Commented Jun 5 at 19:53
  • 1
    Try to connect using ssh -v, and compare the list of authentication methods provided by the client and by the server. They must have one method in common. Commented Jun 5 at 20:54
  • @Manmadeofmeat unfortunately the post you linked is behind a RedHat subscription block. Commented Jun 6 at 6:20
  • @SottoVoce if somebody runs RHEL, they should have subscription ... thats what the subscription is for -- to provide support. Commented Jun 6 at 10:11

1 Answer 1

Reset to default
3

The error indicates a FIPS mode issue. RHEL9 in FIPS mode does not allow certain KEX algorithms.

Open /etc/ssh/sshd_config and add/modify the KexAlgorithms configuration to use FIPS-compliant algorithms.

Example:

KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

Then restart SSH systemctl restart sshd

If that doesn't help, check whether FIPS is actually enabled fips-mode-setup --check

The fips-mode-setup --check command in RHEL is used to verify if FIPS mode is currently enabled.

If FIPS mode is enabled, the command will output "FIPS mode is enabled". If it is not, the output will vary, but it will indicate that FIPS mode is disabled

Key Exchange is part of the SSH protocol. It's how you initiate a connection. It is NOT the same thing as public key authentication even though the names do have three letters in common. It does not have anything to do with Kerberos, Active Directory, or jelly filled donuts either.

In order to establish a working SSH connection the client and server need to agree on a Kex Exchange Algorithm (KEX), a key format and a cipherat the very least. You can use the following commands to check what is enabled on your server:

sshd -T | grep ^kex
sshd -T | grep ciphers

This will give you a full list of all algorithms present in SSHD and also enabled in /etc/ssh/sshd_config.

More source:
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.