CentOS - Oct 2019 - DSA key not accepted on CentOS even after enabling

Hello,
I have some users that connect to a server with their DSA key that is of
type ssh-dss.
I'm migrating (installing as new) the server where they connect to CentOS 8
+ updates.
I was not able to connect with the keys to this new server even after
having added, as found in several internet pages, this directive at the end
of /etc/ssh/sshd_config of the CentOS 8 server:

# Accept also DSA keys
PubkeyAcceptedKeyTypes=+ssh-dss

and
systemctl restart sshd

I kept getting in journal the message:
userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]

I saw that the sshd process had started with the option
... -oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256,
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384,
ecdsa-sha2-nistp384-cert-v01 at openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,
ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519,
ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-cert-v01 at openssh.com

So I found the unit file for sshd that refers
to /etc/crypto-policies/back-ends/opensshserver.config
In the mean time I was able to reach my target going and editing the
/etc/sysconfig/sshd file adding the whole line obtained from the above and
adding ssh-dss

CRYPTO_POLICY='-oCiphers=aes256-gcm at openssh.com,
chacha20-poly1305 at openssh.com,aes256-ctr,aes256-cbc,aes128-gcm at
openssh.com,aes128-ctr,aes128-cbc
-oMACs=hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com,
umac-128-etm at openssh.com,hmac-sha2-512-etm at openssh.com
,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512
-oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1-
-oKexAlgorithmscurve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
-oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384,
ecdsa-sha2-nistp384-cert-v01 at openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,
ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519,
ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-cert-v01 at openssh.com
-oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256,
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384,
ecdsa-sha2-nistp384-cert-v01 at openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,
ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519,
ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-cert-v01 at openssh.com
,ssh-dss'

and now it works with pubkey authentication based on DSA keys.
Not going to the querelle of OpenSSH 7 removing DSA keys and DSA vs RSA
(eg. some considerations by some years ago here:
https://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys
),
any hint on smarter way to add?
I suppose further updates could change content
of  /etc/crypto-policies/back-ends/opensshserver.config that btw is part
of crypto-policies-20181217-6.git9a35207.el8.noarch and
not openssh-server-7.8p1-4.el8.x86_64

HIH others incurring in this problem and thanks in advance for any
insight/hint,
Gianluca

PubkeyAcceptedKeyTypes=+ssh-dss

You also need that ^^ in their client if they are running on el8 machine
as well .. i needed to put it in my ~/.ssh/config when connecting FROM
an el8 machine to somewhere else.

On 10/17/19 9:27 AM, Gianluca Cecchi wrote:
> Hello,
> I have some users that connect to a server with their DSA key that is of
> type ssh-dss.
> I'm migrating (installing as new) the server where they connect to
CentOS 8
> + updates.
> I was not able to connect with the keys to this new server even after
> having added, as found in several internet pages, this directive at the end
> of /etc/ssh/sshd_config of the CentOS 8 server:
> 
> # Accept also DSA keys
> PubkeyAcceptedKeyTypes=+ssh-dss
> 
> and
> systemctl restart sshd
> 
> I kept getting in journal the message:
> userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]
> 
> I saw that the sshd process had started with the option
> ... -oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256,
> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384,
> ecdsa-sha2-nistp384-cert-v01 at
openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,
> ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519,
> ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-cert-v01 at openssh.com
> 
> So I found the unit file for sshd that refers
> to /etc/crypto-policies/back-ends/opensshserver.config
> In the mean time I was able to reach my target going and editing the
> /etc/sysconfig/sshd file adding the whole line obtained from the above and
> adding ssh-dss
> 
> CRYPTO_POLICY='-oCiphers=aes256-gcm at openssh.com,
> chacha20-poly1305 at openssh.com,aes256-ctr,aes256-cbc,aes128-gcm at
openssh.com,aes128-ctr,aes128-cbc
> -oMACs=hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com,
> umac-128-etm at openssh.com,hmac-sha2-512-etm at openssh.com
> ,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512
> -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms>
curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
> -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,
> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384,
> ecdsa-sha2-nistp384-cert-v01 at
openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,
> ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519,
> ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-cert-v01 at openssh.com
> -oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256,
> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384,
> ecdsa-sha2-nistp384-cert-v01 at
openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,
> ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519,
> ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-cert-v01 at openssh.com
> ,ssh-dss'
> 
> and now it works with pubkey authentication based on DSA keys.
> Not going to the querelle of OpenSSH 7 removing DSA keys and DSA vs RSA
> (eg. some considerations by some years ago here:
>
https://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys
> ),
> any hint on smarter way to add?
> I suppose further updates could change content
> of  /etc/crypto-policies/back-ends/opensshserver.config that btw is part
> of crypto-policies-20181217-6.git9a35207.el8.noarch and
> not openssh-server-7.8p1-4.el8.x86_64
> 
> HIH others incurring in this problem and thanks in advance for any
> insight/hint,
> Gianluca
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20191017/32481aaf/attachment-0002.sig>

Il Gio 17 Ott 2019, 18:15 Johnny Hughes <johnny at centos.org> ha scritto:
> PubkeyAcceptedKeyTypes=+ssh-dss
>
> You also need that ^^ in their client if they are running on el8 machine
> as well .. i needed to put it in my ~/.ssh/config when connecting FROM
> an el8 machine to somewhere else.
>
Yes, true. Thanks for noticing, Johnny.
It's not my case in this particular situation, but I have already done it
on my Fedora 30 client in another context.
Gianluca
>