SSH/SSHD failing in FIPS mode due to unsupported encryption key

Solution Verified - Updated 11 Apr 2025

Environment

Red Hat Enterprise Linux

Issue

ssh-keygen: generating new host keys: ED25519 ED25519 keys are not allowed in FIPS mode
main: sshd: Ed25519 keys are not allowed in FIPS mode, skipping /etc/ssh/ssh_host_ed25519_key

Resolution

Generate new SSH Keys on a system with FIPS mode using the ecdsa or rsa key types. For example:

# ssh-keygen -t ecdsa

Root Cause

On a FIPS-enforcing system, only the following key types are available:

ecdsa | rsa

The following key types are not available on a FIPS-enforcing system:

dsa | ed25519

SBR

Services

Product(s)

Red Hat Enterprise Linux

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.