Not possible to implement ssh-ed25519 key algorithms for SSH on ESXi hosts
search cancel

Not possible to implement ssh-ed25519 key algorithms for SSH on ESXi hosts

book

Article ID: 394011

calendar_today

Updated On: 05-02-2025

Products

VMware vSphere ESXi

Issue/Introduction

Possible scenarios:

  • Manually adding the key to the /etc/ssh/sshd_config works but will not retain on ESXi reboot since the configuration requires to be made via configstore.
  • On trying to adjust the allowed algorithms for SSH users can have the following error as PubkeyAcceptedAlgorithms is not an option on the configstore configuration:

[root@######:~] esxcli system ssh server config set -k PubkeyAcceptedAlgorithms -v ssh-ed25519
Ignored key [pubkeyacceptedalgorithms] as it doesn't belong to the list of configurable properties

  • Trying to add the key to the "hostkeyalgorithms" using the command "esxcli system ssh server config set" will take no effect.

  • Trying to generate an ed25519 key will fail:
    /usr/lib/vmware/openssh/bin/ssh-keygen -t ed25519
    ED25519 keys are not allowed in FIPS mode

 

Environment

vSphere ESXi all versions

 

Cause

ed25519 is currently not supported to be used by ESXi.

The list of supported key algorithms can be obtained with the command "esxcli system ssh server config list"

The default list of key algorithms is this asper value of "hostkeyalgorithms":

ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512

 

Resolution

Use only the supported key algorithms as per:

  • ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512

Any further add-ons are not really supported as they are either not made available or not FIPS compliant.

 

Additional Information

Important!

Note that by limiting or changing the key algorithms to be used by SSH server on ESXi will cause SSH clients to not be able to access the SSH server on ESXi.

For instance, since Putty uses specific algorithms for the connection it will fail with the error "Couldn't agree a host key algorithm (available: )" if none of it's required algorithms is allowed by ESXi.