Two possible issues when ssh from a secured (FIPS enabled) RH Linux 8 to RHL 6

With RHLinux 8, OpenSSH has been updated to the version 8.0.

root@ol8test:~# ssh -V
OpenSSH_8.0p1, OpenSSL 1.1.1g FIPS  21 Apr 2020

If a Linux 8 system is secured, some weak key exchange algorithms might be disabled/removed. When connecting from such a system to a legacy system e.g. Linux 6, you will see the following errors:

root@ol8test:~# ssh root@ol6test
Unable to negotiate with 10.10.169.20 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

To work around this, we can choose one of methods listed and supplment to ssh:

ssh -oKexAlgorithms=+diffie-hellman-group-exchange-sha256 root@ol6test

Another possible issues is with FIPS enabled, you might see the following error:

root@ol8test:~# ssh root@ol6test
ssh_dispatch_run_fatal: Connection to 10.10.169.20 port 22: invalid argument

Once FIPS disabled (a reboot is required to do so), you will be able to ssh over to the legacy system.

To disable FIPS on Linux 8:

# fips-mode-setup --enable
Setting system policy to FIPS
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.

To check FIPS is enabled or disabled:

root@ol8test:/boot# fips-mode-setup --check
FIPS mode is disabled.

root@ol8test:/boot# cat /proc/sys/crypto/fips_enabled
0

root@ol8test:/boot# sysctl crypto.fips_enabled
crypto.fips_enabled = 0

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s