FIPS mode can't decrypt existing passphrase-protected ssh keys

Solution Verified - Updated -

Issue

  • It seems encrypted ssh private keys can't be decrypted on FIPS systems. Why? What to do about it?

  • We generated a passphrase-protected ssh keypair with ssh-keygen and used it successfully
    After we enabled FIPS mode (e.g., by following instructions for RHEL6), our ssh key no longer accepts our passphrase

    [root]# ssh server.example.com
    FIPS mode initialized
    Enter passphrase for key '/root/.ssh/id_rsa':
    Enter passphrase for key '/root/.ssh/id_rsa':
    Enter passphrase for key '/root/.ssh/id_rsa':
    root@server.example.com's password:
    
  • SSH keys not working after FIPS mode enabled on server

  • How to create ssh keys in a non FIPS compliant systems so that the ssh keys are complaint after the system is upgraded to FIPS compliant mode.

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In