FIPS mode can't decrypt existing passphrase-protected ssh keys

Solution Verified - Updated -

Issue

  • It seems encrypted ssh private keys can't be decrypted on FIPS systems. Why? What to do about it?

  • We generated a passphrase-protected ssh keypair with ssh-keygen and used it successfully
    After we enabled FIPS mode (e.g., by following instructions for RHEL6), our ssh key no longer accepts our passphrase

    [root]# ssh server.example.com
FIPS mode initialized
Enter passphrase for key '/root/.ssh/id_rsa':
Enter passphrase for key '/root/.ssh/id_rsa':
Enter passphrase for key '/root/.ssh/id_rsa':
root@server.example.com's password:

  • SSH keys not working after FIPS mode enabled on server

  • How to create ssh keys in a non FIPS compliant systems so that the ssh keys are complaint after the system is upgraded to FIPS compliant mode.

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content