Hello, I have some users that connect to a server with their DSA key that is of type ssh-dss. I'm migrating (installing as new) the server where they connect to CentOS 8 + updates. I was not able to connect with the keys to this new server even after having added, as found in several internet pages, this directive at the end of /etc/ssh/sshd_config of the CentOS 8 server:
# Accept also DSA keys PubkeyAcceptedKeyTypes=+ssh-dss and systemctl restart sshd I kept getting in journal the message: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth] I saw that the sshd process had started with the option ... -oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256, [email protected],ecdsa-sha2-nistp384, [email protected],rsa-sha2-512,ecdsa-sha2-nistp521, [email protected],ssh-ed25519, [email protected],ssh-rsa,[email protected] So I found the unit file for sshd that refers to /etc/crypto-policies/back-ends/opensshserver.config In the mean time I was able to reach my target going and editing the /etc/sysconfig/sshd file adding the whole line obtained from the above and adding ssh-dss CRYPTO_POLICY='[email protected], [email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc [email protected],[email protected], [email protected],[email protected] ,hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms= [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256, [email protected],ecdsa-sha2-nistp384, [email protected],rsa-sha2-512,ecdsa-sha2-nistp521, [email protected],ssh-ed25519, [email protected],ssh-rsa,[email protected] -oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256, [email protected],ecdsa-sha2-nistp384, [email protected],rsa-sha2-512,ecdsa-sha2-nistp521, [email protected],ssh-ed25519, [email protected],ssh-rsa,[email protected] ,ssh-dss' and now it works with pubkey authentication based on DSA keys. Not going to the querelle of OpenSSH 7 removing DSA keys and DSA vs RSA (eg. some considerations by some years ago here: https://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys ), any hint on smarter way to add? I suppose further updates could change content of /etc/crypto-policies/back-ends/opensshserver.config that btw is part of crypto-policies-20181217-6.git9a35207.el8.noarch and not openssh-server-7.8p1-4.el8.x86_64 HIH others incurring in this problem and thanks in advance for any insight/hint, Gianluca _______________________________________________ CentOS mailing list [email protected] https://lists.centos.org/mailman/listinfo/centos
