]> Enabling modern SSH algorithms on ESXi 🌐:aligrant.com

Enabling modern SSH algorithms on ESXi

Alastair Grant | Tue 23 Apr 2024

If you're using keys to authenticate your SSH sessions (which you should be), then you may wonder why you can't get your swanky modern ed25519 or ecdsa keys working with SSH on an ESXi Hypervisor host.  Looking in /var/log/auth.log you'll get an error like:

userauth_pubkey: signature algorithm ssh-ed25519 not in PubkeyAcceptedAlgorithms [preauth]

The reason for this is, by default ESXi will be running in FIPS compliant mode for SSH. FIPS, or specifically in this situation FIPS-140 is an American government standard for cryptographic things.  There are various incarnations of it, but crucially it's an explicit list of things like algorithms that have been approved to gain the standard.  This doesn't mean there aren't better things out there, but if you're enforcing compliance, it has to be the explicit list.  This is the situation here, we've got more modern algorithms in use, and ESXi won't accept them.

But unless you're working in an environment that mandates FIPS, you can simply turn it off and reap the benefits of progress.

esxcli system security fips140 ssh set -e false

You can verify that it has disabled with:

esxcli system security fips140 ssh get

The change is immediate, there is no need to restart SSH or reboot the host.

Breaking from the voyeuristic norms of the Internet, any comments can be made in private by contacting me.