1 |
On Saturday 14 Nov 2015 06:49:22 thelma@×××××××××××.com wrote: |
2 |
> Thelma |
3 |
> |
4 |
> On 11/13/2015 11:08 PM, thelma@×××××××××××.com wrote: |
5 |
> > I'm running: nxserver-freenx-0.7.3_p104-r7 |
6 |
> > After recent upgrade, system installed new stable openssh-7.1_p1-r2 |
7 |
> > |
8 |
> > The problem is the new openssh-7.1_p1-r2 will not allow my my "nxserver" |
9 |
> > to connect, I get an error: Permission denied |
10 |
> > (publickey,keyboard-interactive) see below: |
11 |
> > |
12 |
> > nxsetup --test |
13 |
> > ... |
14 |
> > <---- done |
15 |
> > |
16 |
> > ----> Testing your nxserver connection ... |
17 |
> > Permission denied (publickey,keyboard-interactive). |
18 |
> > Fatal error: Could not connect to NX Server. |
19 |
> > |
20 |
> > Please check your ssh setup: |
21 |
> > |
22 |
> > The following are _examples_ of what you might need to check. |
23 |
> > |
24 |
> > - Make sure "nx" is one of the AllowUsers in sshd_config. |
25 |
> > |
26 |
> > (or that the line is outcommented/not there) |
27 |
> > |
28 |
> > - Make sure "nx" is one of the AllowGroups in sshd_config. |
29 |
> > |
30 |
> > (or that the line is outcommented/not there) |
31 |
> > |
32 |
> > - Make sure your sshd allows public key authentication. |
33 |
> > - Make sure your sshd is really running on port 22. |
34 |
> > - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set |
35 |
to |
36 |
> > authorized_keys2. |
37 |
> > |
38 |
> > (this should be a filename not a pathname+filename) |
39 |
> > |
40 |
> > - Make sure you allow ssh on localhost, this could come from some |
41 |
> > |
42 |
> > restriction of: |
43 |
> > -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost |
44 |
> > |
45 |
> > -the iptables. add to it: |
46 |
> > $ iptables -A INPUT -i lo -j ACCEPT |
47 |
> > $ iptables -A OUTPUT -o lo -j ACCEPT |
48 |
> > |
49 |
> > What I should be getting is this: |
50 |
> > ----> Testing your nxserver connection ... |
51 |
> > HELLO NXSERVER - Version 3.2.0-74-TEAMBZR104 OS (GPL, using backend: |
52 |
> > 3.5.0) NX> 105 quit |
53 |
> > Quit |
54 |
> > NX> 999 Bye |
55 |
> > <--- done |
56 |
> > |
57 |
> > I did not change anything in sshd_config. |
58 |
> > But I downgraded to: openssh-6.9_p1-r2 and nxserver connects OK. |
59 |
> > |
60 |
> > What could be the problem with new: openssh-7.1_p1-r2 |
61 |
> |
62 |
> I think the reason is that OpenSSH 7.0 disables ssh-dss keys by default |
63 |
> https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html |
64 |
> |
65 |
> And and nxserver is using ssh-dss keys by default. |
66 |
> |
67 |
> I have to find a way a way to replace the ssh-dss key in: /etc/nxserver/ |
68 |
> with RSA one. |
69 |
> |
70 |
> Do I just run: ssh-keygen -t rsa |
71 |
> and copy the key pair to /etc/nxserver/ directory? |
72 |
> |
73 |
> -- |
74 |
> Thelma |
75 |
|
76 |
Since openssh-7.0 DSS keys are disabled and about time too! |
77 |
|
78 |
========================================================== |
79 |
if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 |
80 |
elog "Starting with openssh-7.0, support for ssh-dss keys were |
81 |
disabled due to their" |
82 |
elog "weak sizes. If you rely on these key types, you can re-enable |
83 |
the key types by" |
84 |
elog "adding to your sshd_config:" |
85 |
elog " PubkeyAcceptedKeyTypes=+ssh-dss" |
86 |
elog "You should however generate new keys using rsa or ed25519." |
87 |
fi |
88 |
========================================================== |
89 |
|
90 |
|
91 |
Also SHA1 hashes are disabled and you will get errors like these when you try |
92 |
to login to a server which is still using deprecated ciphers: |
93 |
|
94 |
Unable to negotiate with XXX.XX.XXX.X: no matching host key type found. Their |
95 |
offer: ssh-dss |
96 |
|
97 |
Unable to negotiate with XXX.XX.XXX.X: no matching key exchange method found. |
98 |
Their offer: diffie-hellman-group1-sha1 |
99 |
|
100 |
If this is within your LAN and therefore relatively protected, you could |
101 |
specify deprecated ciphers and hashes like so: |
102 |
|
103 |
ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss |
104 |
my_user@××××××.XXX.X |
105 |
|
106 |
|
107 |
Alternatively, after you create a strong prime: |
108 |
|
109 |
ssh-keygen -t rsa -b 4096 |
110 |
|
111 |
|
112 |
or probably better to use ed25519: |
113 |
|
114 |
ssh-keygen -t ed25519 |
115 |
|
116 |
HTH. |
117 |
-- |
118 |
Regards, |
119 |
Mick |