Rocky Linux 9 sshd: userauth_pubkey: key type sk-ssh-ed25519@openssh.com not in PubkeyAcceptedAlgorithms [preauth]

Hello,

I encountered a strange problem recently - I cannot use my HW FIDO key to authenticate to fresh installation of RL9 machine - only RSA and password are working. Public keys are copied to ~/.ssh/authorized_keys, I added ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com to /etc/crypto-policies/back-ends/opensshserver.config and run update-crypto-polices + restart but no effect so far. I’ve even added manually option PubkeyAcceptedAlgorithms +sk-ssh-ed25519@openssh.com to sshd_config but also without success, ssh -Q pubkeyacceptedkeytypes still doesn’t show sk-ssh-ed25519@openssh.com. I do not have that problem on my other (older) installation of RL9 and other simmilar RPM distros (Alma,Fedora). Tried on orginal package from ‘System/baseos’ and hardened from ‘security-common’ - guess I’m missing some point - what do you think about it? Any help or hint would be appreciated. Thx in advance

Check if you have FIPS mode enabled. “fips-mode-setup - -check” If it is enabled, you may want to disable and check “fips-mode-setup - -disable” Note, this is 2 dashes and then check. It does not display correct here.

The FIPS check randallb suggested is a good first step. But even without FIPS enabled, Rocky 9’s default crypto policy (DEFAULT) does not include the sk-ssh-ed25519 key type in the accepted algorithms for the SSH server.

The issue is that editing /etc/crypto-policies/back-ends/opensshserver.config directly gets overwritten when crypto policies are updated. The correct way to persist this is with a policy submodule.

Create a custom submodule that allows security key types:

cat > /etc/crypto-policies/policies/modules/SSHFIDO.pmod << 'EOF'
ssh_etm = AEAD
ssh@OpenSSH = ECDSA-SK+ ED25519-SK+
EOF

Then apply it on top of the DEFAULT policy:

update-crypto-policies --set DEFAULT:SSHFIDO

This adds the sk-ssh-ed25519 and sk-ecdsa-sha2-nistp256 key types to the allowed algorithms without weakening the rest of the crypto policy.

After applying, restart sshd:

systemctl restart sshd

Verify the allowed key types with:

sshd -T | grep pubkeyacceptedalgorithms

You should see sk-ssh-ed25519@openssh.com in the output. This approach survives system updates because the submodule is applied at the policy level rather than directly editing backend config files.