How to connect to a RHEL 8 system running FIPS using PuTTY

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat Enterprise Linux 8
Crypto policy FIPS
PuTTY
Public key using ssh-rsa or ssh-rsa-cert-v01@openssh.com

Issue

Connecting using PuTTY/RSA public key to a RHEL 8 system running FIPS-140-2, the connection fails, as reported in /var/log/secure
```
TIMESTAMP sshd[PID]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
```
Connection using PuTTY/RSA public key to a RHEL 7 system running FIPS-140-2 works fine

Resolution

This is expected behaviour: ssh-rsa keys are not FIPS-140-2 compliant.

Generate a new key which is compliant with FIPS-140-2, for example ECDSA with curve nistp256.
Add the public key to authorized_keys file on the destination system

Root Cause

Default PuTTY key algorithm is ssh-rsa, which isn't FIPS-140-2 compliant
With RHEL 7, this type of keys were tolerated, but not anymore with RHEL 8

SBR

Shells

Product(s)

Red Hat Enterprise Linux

Components

openssh

Category

Troubleshoot

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.