The SSH connection from CentOS 6 to CentOS 8 fails while running CentOS 8 in FIPS mode.
- Getting the following ssh debug output:
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
no hostkey alg
- To resolve this issue, on CentOS 6 you should generate ECDSA host keys with correct permissions as below.
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -C '' -N ''
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 640 /etc/ssh/ssh_host_ecdsa_key.pub
restorecon /etc/ssh/ssh_host_ecdsa_key.pub
- To allow ssh clients to accept ECDSA host keys, add the following in /etc/ssh/sshd_config file on the ssh server.
Host <hostname/IP>
Hostkeyalgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
CentOS 6 servers can connect to CentOS 8 in FIPS mode using ECDSA keys (not created and accepted automatically).
CentOS 8 only supports SHA2 hashes for RSA host keys, hence they are incompatible with CentOS 6’s SHA1-based RSA host keys. However, CentOS 6 computers can connect to CentOS 8 in FIPS mode using ECDSA keys (not produced and accepted automatically).