Rootserver Sponsor

webtropia"

Donations

Please support your operating system's further development:

donate"

Post new topic   Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Author Message
finottiOffline
Post subject: [SOLVED] SSH passwordless login stopped working  PostPosted: 03.12.2015, 14:38



Joined: 2010-09-12
Posts: 470

Status: Offline
I've just updated my system and now passworless login with SSH stopped working.

      Code:

# apt-cache policy openssh-client
openssh-client:
  Installed: 1:7.1p1-1
  Candidate: 1:7.1p1-1
  Version table:
 *** 1:7.1p1-1 500
        500 http://httpredir.debian.org/debian sid/main amd64 Packages
        100 /var/lib/dpkg/status
     1:6.9p1-3 500
        500 http://http.debian.net/debian testing/main amd64 Packages


Version 1:6.9p1-3, running on my home desktop, works.

If anyone knows a fix (other than waiting for a new updated), I'd appreciate it.


Last edited by finotti on 03.12.2015, 14:49; edited 1 time in total
 
 View user's profile Send private message  
Reply with quote Back to top
finottiOffline
Post subject: RE: SSH passwordless login stopped working  PostPosted: 03.12.2015, 14:49



Joined: 2010-09-12
Posts: 470

Status: Offline
OK more info.

      Code:

$ ssh -v desk
[...]
debug1: Skipping ssh-dss key /home/finotti/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes
[...]


So, maybe DSA keys are now considered insecure?

Adding
      Code:

PubkeyAcceptedKeyTypes ssh-dss


to .ssh/config fixes it, but maybe it would be better to change the keys... (Can someone confirm this?)

EDIT: FYI, RSA keys work.
 
 View user's profile Send private message  
Reply with quote Back to top
peekabooOffline
Post subject: RE: SSH passwordless login stopped working  PostPosted: 05.12.2015, 20:22



Joined: 2015-12-05
Posts: 1
Location: Germay
Status: Offline
Hi,

According to bettercrypto.org, DSA should not be used anymore for SSH. See chapter 2.2 Applied Crypto Hardening Paper at » https://bettercrypto.org/ «.
So it's likely DSA has been removed completely now starting with OpenSSH 7.

Regards!
 
 View user's profile Send private message  
Reply with quote Back to top
slhOffline
Post subject: RE: SSH passwordless login stopped working  PostPosted: 05.12.2015, 21:49



Joined: 2010-08-25
Posts: 949

Status: Offline
Just to end (part of-) the speculation, have a look at the package changelog (/usr/share/doc/openssh-server/changelog.Debian.gz):
      Code:
openssh (1:7.1p1-1) unstable; urgency=medium

  * New upstream release (http://www.openssh.com/txt/release-7.0, closes:
    #785190):
    - Support for the legacy SSH version 1 protocol is disabled by default
      at compile time.
    - Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
      disabled by default at run-time.  It may be re-enabled using the
      instructions at http://www.openssh.com/legacy.html
    - Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
      default at run-time.  These may be re-enabled using the instructions
      at http://www.openssh.com/legacy.html
    - Support for the legacy v00 cert format has been removed.
    - The default for the sshd_config(5) PermitRootLogin option has changed
      from "yes" to "prohibit-password".
    - PermitRootLogin=without-password/prohibit-password now bans all
      interactive authentication methods, allowing only public-key,
      hostbased and GSSAPI authentication (previously it permitted
      keyboard-interactive and password-less authentication if those were
      enabled).
    - ssh_config(5): Add PubkeyAcceptedKeyTypes option to control which
      public key types are available for user authentication.
    - sshd_config(5): Add HostKeyAlgorithms option to control which public
      key types are offered for host authentications.
    - ssh(1), sshd(8): Extend Ciphers, MACs, KexAlgorithms,
      HostKeyAlgorithms, PubkeyAcceptedKeyTypes and HostbasedKeyTypes
      options to allow appending to the default set of algorithms instead of
      replacing it.  Options may now be prefixed with a '+' to append to the
      default, e.g. "HostKeyAlgorithms=+ssh-dss".
    - sshd_config(5): PermitRootLogin now accepts an argument of
      'prohibit-password' as a less-ambiguous synonym of 'without-
      password'.
    - ssh(1), sshd(8): Add compatability workarounds for Cisco and more
      PuTTY versions.
    - Fix some omissions and errors in the PROTOCOL and PROTOCOL.mux
      documentation relating to Unix domain socket forwarding.
    - ssh(1): Improve the ssh(1) manual page to include a better description
      of Unix domain socket forwarding (closes: #779068).
    - ssh(1), ssh-agent(1): Skip uninitialised PKCS#11 slots, fixing
      failures to load keys when they are present.
    - ssh(1), ssh-agent(1): Do not ignore PKCS#11 hosted keys that wth empty
      CKA_ID.
    - sshd(8): Clarify documentation for UseDNS option.
    - Check realpath(3) behaviour matches what sftp-server requires and use
      a replacement if necessary.
  * New upstream release (http://www.openssh.com/txt/release-7.1):
    - sshd(8): OpenSSH 7.0 contained a logic error in PermitRootLogin=
      prohibit-password/without-password that could, depending on
      compile-time configuration, permit password authentication to root
      while preventing other forms of authentication.  This problem was
      reported by Mantas Mikulenas.
    - ssh(1), sshd(8): Add compatibility workarounds for FuTTY.
    - ssh(1), sshd(8): Refine compatibility workarounds for WinSCP.
    - Fix a number of memory faults (double-free, free of uninitialised
      memory, etc) in ssh(1) and ssh-keygen(1).  Reported by Mateusz
      Kocielski.
  * Change "PermitRootLogin without-password" to the new preferred spelling
    of "PermitRootLogin prohibit-password" in sshd_config, and update
    documentation to reflect the new upstream default.
  * Enable conch interoperability tests under autopkgtest.

 -- Colin Watson <xxx>  Wed, 02 Dec 2015 20:18:35 +0000
 
 View user's profile Send private message  
Reply with quote Back to top
finottiOffline
Post subject: RE: SSH passwordless login stopped working  PostPosted: 06.12.2015, 13:43



Joined: 2010-09-12
Posts: 470

Status: Offline
Thanks for confirming it! I've changed my keys to RSA.
 
 View user's profile Send private message  
Reply with quote Back to top
LatOffline
Post subject: RE: SSH passwordless login stopped working  PostPosted: 06.12.2015, 15:55



Joined: 2010-09-19
Posts: 204

Status: Offline
How do I check if I have DSA, and how do I convert it RSA?
 
 View user's profile Send private message  
Reply with quote Back to top
slhOffline
Post subject: RE: SSH passwordless login stopped working  PostPosted: 06.12.2015, 23:35



Joined: 2010-08-25
Posts: 949

Status: Offline
Look into the key-files under ~/.ssh/, you'll see "-----BEGIN RSA PRIVATE KEY-----" or "ssh-rsa" for the public key, compared to "-----BEGIN DSA PRIVATE KEY-----" or "ssh-dss" respectively; most of the time, the key naming will also tell you.
 
 View user's profile Send private message  
Reply with quote Back to top
LatOffline
Post subject: RE: SSH passwordless login stopped working  PostPosted: 12.12.2015, 11:41



Joined: 2010-09-19
Posts: 204

Status: Offline
Thank you
 
 View user's profile Send private message  
Reply with quote Back to top
Display posts from previous:     
Jump to:  
All times are GMT - 12 Hours
Post new topic   Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Powered by Zafenio