I have already done some researches online, and the best solution seems to use a better algorithm to generate new key pairs. But right now I still need to use ssh-dss key pairs for internal automation.
(I know that since openssh 7.0, ssh-dss is disabled by default, we need to explicitly add
PubkeyAcceptedKeyTypes +ssh-dss
to ssh configuration to re-enable it.)
Environmet:
OpenSSH_8.0p1, OpenSSL 1.1.1c FIPS 28 May 2019
Linux hostname 5.1.19-300.fc30.x86_64 #1 SMP Mon Jul 22 16:32:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Here is the checklist for what I have done so far:
- Create a user with password (some posts said that it might need a password)
- Create
.ssh
folder, set the public key in.ssh/authorized_keys
, make sure that they have 700, 600 permission and right owner rather than root. - Check
/etc/ssh/sshd_config
, make sure that we havePubkeyAuthentication yes
(usually it's default value) - Explicitly enable
ssh-dss
- Add
PubkeyAcceptedKeyTypes +ssh-dss
in/etc/ssh/sshd_config
on server - Add
PubkeyAcceptedKeyTypes +ssh-dss
in~/.ssh/config
on both server and client sides
- Add
- Restart sshd service to pick the new change
However, I was still asked for password.
- Check
/var/log/secure
, I see:
userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes
- Check
ssh -Q key
:
ssh-ed25519
[email protected]
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
Looks like that the ssh-dss
should be in the list already, why I still see that error when ssh with private key file?
I did not got much more information from /var/log/secure
after I set ssh log level to VERBOSE
:
Jul 28 18:40:44 re-pkg-fedora30 sshd[1374]: Connection from 10.32.34.60 port 63863 on 10.140.143.132 port 22
Jul 28 18:40:44 re-pkg-fedora30 sshd[1374]: Failed publickey for mambop from 10.32.34.60 port 63863 ssh2: RSA SHA256:7EgHyu1SFM76cXlMGxHcvqg/C2xqbfbrQCfX5WCnOgc
Jul 28 18:40:44 re-pkg-fedora30 sshd[1374]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]
Jul 28 18:40:45 re-pkg-fedora30 sshd[1374]: Connection closed by authenticating user mambop 10.32.34.60 port 63863 [preauth]
/etc/ssh/sshd_config
file have the linesPasswordAuthentication no
andChallengeResponseAuthentication no
in it? Cause if so you shouldn't get a password prompt whether the pubkey auth fails or not. Also, have you made sure the client side config (/etc/ssh/ssh_config
or~/.ssh/config
) have also had the necessary keytypes enabled?userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes
HostKeyAlgorithms +ssh-dss
to your~/.ssh/config
file.ssh -Q key
my openssh installations all listssh-dss
as a supported key algorithm despite it being rather thoroughly and explicitly disabled in my configs (my openssh servers and clients are heavily hardened). So apparently that command's output isn't reliable for showing current configuration.