Gianluca Cecchi
2019-Oct-17 14:27 UTC
[CentOS] DSA key not accepted on CentOS even after enabling
Hello, I have some users that connect to a server with their DSA key that is of type ssh-dss. I'm migrating (installing as new) the server where they connect to CentOS 8 + updates. I was not able to connect with the keys to this new server even after having added, as found in several internet pages, this directive at the end of /etc/ssh/sshd_config of the CentOS 8 server: # Accept also DSA keys PubkeyAcceptedKeyTypes=+ssh-dss and systemctl restart sshd I kept getting in journal the message: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth] I saw that the sshd process had started with the option ... -oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256, ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384, ecdsa-sha2-nistp384-cert-v01 at openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521, ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519, ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-cert-v01 at openssh.com So I found the unit file for sshd that refers to /etc/crypto-policies/back-ends/opensshserver.config In the mean time I was able to reach my target going and editing the /etc/sysconfig/sshd file adding the whole line obtained from the above and adding ssh-dss CRYPTO_POLICY='-oCiphers=aes256-gcm at openssh.com, chacha20-poly1305 at openssh.com,aes256-ctr,aes256-cbc,aes128-gcm at openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com, umac-128-etm at openssh.com,hmac-sha2-512-etm at openssh.com ,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithmscurve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256, ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384, ecdsa-sha2-nistp384-cert-v01 at openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521, ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519, ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-cert-v01 at openssh.com -oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256, ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384, ecdsa-sha2-nistp384-cert-v01 at openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521, ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519, ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-cert-v01 at openssh.com ,ssh-dss' and now it works with pubkey authentication based on DSA keys. Not going to the querelle of OpenSSH 7 removing DSA keys and DSA vs RSA (eg. some considerations by some years ago here: https://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys ), any hint on smarter way to add? I suppose further updates could change content of /etc/crypto-policies/back-ends/opensshserver.config that btw is part of crypto-policies-20181217-6.git9a35207.el8.noarch and not openssh-server-7.8p1-4.el8.x86_64 HIH others incurring in this problem and thanks in advance for any insight/hint, Gianluca
Johnny Hughes
2019-Oct-17 16:15 UTC
[CentOS] DSA key not accepted on CentOS even after enabling
PubkeyAcceptedKeyTypes=+ssh-dss You also need that ^^ in their client if they are running on el8 machine as well .. i needed to put it in my ~/.ssh/config when connecting FROM an el8 machine to somewhere else. On 10/17/19 9:27 AM, Gianluca Cecchi wrote:> Hello, > I have some users that connect to a server with their DSA key that is of > type ssh-dss. > I'm migrating (installing as new) the server where they connect to CentOS 8 > + updates. > I was not able to connect with the keys to this new server even after > having added, as found in several internet pages, this directive at the end > of /etc/ssh/sshd_config of the CentOS 8 server: > > # Accept also DSA keys > PubkeyAcceptedKeyTypes=+ssh-dss > > and > systemctl restart sshd > > I kept getting in journal the message: > userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth] > > I saw that the sshd process had started with the option > ... -oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256, > ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384, > ecdsa-sha2-nistp384-cert-v01 at openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521, > ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519, > ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-cert-v01 at openssh.com > > So I found the unit file for sshd that refers > to /etc/crypto-policies/back-ends/opensshserver.config > In the mean time I was able to reach my target going and editing the > /etc/sysconfig/sshd file adding the whole line obtained from the above and > adding ssh-dss > > CRYPTO_POLICY='-oCiphers=aes256-gcm at openssh.com, > chacha20-poly1305 at openssh.com,aes256-ctr,aes256-cbc,aes128-gcm at openssh.com,aes128-ctr,aes128-cbc > -oMACs=hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com, > umac-128-etm at openssh.com,hmac-sha2-512-etm at openssh.com > ,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512 > -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 > -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256, > ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384, > ecdsa-sha2-nistp384-cert-v01 at openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521, > ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519, > ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-cert-v01 at openssh.com > -oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256, > ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384, > ecdsa-sha2-nistp384-cert-v01 at openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521, > ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519, > ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-cert-v01 at openssh.com > ,ssh-dss' > > and now it works with pubkey authentication based on DSA keys. > Not going to the querelle of OpenSSH 7 removing DSA keys and DSA vs RSA > (eg. some considerations by some years ago here: > https://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys > ), > any hint on smarter way to add? > I suppose further updates could change content > of /etc/crypto-policies/back-ends/opensshserver.config that btw is part > of crypto-policies-20181217-6.git9a35207.el8.noarch and > not openssh-server-7.8p1-4.el8.x86_64 > > HIH others incurring in this problem and thanks in advance for any > insight/hint, > Gianluca > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20191017/32481aaf/attachment-0002.sig>
Gianluca Cecchi
2019-Oct-17 19:43 UTC
[CentOS] DSA key not accepted on CentOS even after enabling
Il Gio 17 Ott 2019, 18:15 Johnny Hughes <johnny at centos.org> ha scritto:> PubkeyAcceptedKeyTypes=+ssh-dss > > You also need that ^^ in their client if they are running on el8 machine > as well .. i needed to put it in my ~/.ssh/config when connecting FROM > an el8 machine to somewhere else. >Yes, true. Thanks for noticing, Johnny. It's not my case in this particular situation, but I have already done it on my Fedora 30 client in another context. Gianluca>
Apparently Analagous Threads
- DSA key not accepted on CentOS even after enabling
- dbus issue on centos 7 as a lxc container
- Debian Stretch 9.6: openssh-server and old dropbear client don't work togheter
- ssh-ed25519 and ecdsa-sha2-nistp256 host keys
- [Bug 3691] New: Connection to localhost succeeds with disabled MAC