| 1 |
On Saturday 14 Nov 2015 06:49:22 thelma@×××××××××××.com wrote: |
| 2 |
> Thelma |
| 3 |
> |
| 4 |
> On 11/13/2015 11:08 PM, thelma@×××××××××××.com wrote: |
| 5 |
> > I'm running: nxserver-freenx-0.7.3_p104-r7 |
| 6 |
> > After recent upgrade, system installed new stable openssh-7.1_p1-r2 |
| 7 |
> > |
| 8 |
> > The problem is the new openssh-7.1_p1-r2 will not allow my my "nxserver" |
| 9 |
> > to connect, I get an error: Permission denied |
| 10 |
> > (publickey,keyboard-interactive) see below: |
| 11 |
> > |
| 12 |
> > nxsetup --test |
| 13 |
> > ... |
| 14 |
> > <---- done |
| 15 |
> > |
| 16 |
> > ----> Testing your nxserver connection ... |
| 17 |
> > Permission denied (publickey,keyboard-interactive). |
| 18 |
> > Fatal error: Could not connect to NX Server. |
| 19 |
> > |
| 20 |
> > Please check your ssh setup: |
| 21 |
> > |
| 22 |
> > The following are _examples_ of what you might need to check. |
| 23 |
> > |
| 24 |
> > - Make sure "nx" is one of the AllowUsers in sshd_config. |
| 25 |
> > |
| 26 |
> > (or that the line is outcommented/not there) |
| 27 |
> > |
| 28 |
> > - Make sure "nx" is one of the AllowGroups in sshd_config. |
| 29 |
> > |
| 30 |
> > (or that the line is outcommented/not there) |
| 31 |
> > |
| 32 |
> > - Make sure your sshd allows public key authentication. |
| 33 |
> > - Make sure your sshd is really running on port 22. |
| 34 |
> > - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set |
| 35 |
to |
| 36 |
> > authorized_keys2. |
| 37 |
> > |
| 38 |
> > (this should be a filename not a pathname+filename) |
| 39 |
> > |
| 40 |
> > - Make sure you allow ssh on localhost, this could come from some |
| 41 |
> > |
| 42 |
> > restriction of: |
| 43 |
> > -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost |
| 44 |
> > |
| 45 |
> > -the iptables. add to it: |
| 46 |
> > $ iptables -A INPUT -i lo -j ACCEPT |
| 47 |
> > $ iptables -A OUTPUT -o lo -j ACCEPT |
| 48 |
> > |
| 49 |
> > What I should be getting is this: |
| 50 |
> > ----> Testing your nxserver connection ... |
| 51 |
> > HELLO NXSERVER - Version 3.2.0-74-TEAMBZR104 OS (GPL, using backend: |
| 52 |
> > 3.5.0) NX> 105 quit |
| 53 |
> > Quit |
| 54 |
> > NX> 999 Bye |
| 55 |
> > <--- done |
| 56 |
> > |
| 57 |
> > I did not change anything in sshd_config. |
| 58 |
> > But I downgraded to: openssh-6.9_p1-r2 and nxserver connects OK. |
| 59 |
> > |
| 60 |
> > What could be the problem with new: openssh-7.1_p1-r2 |
| 61 |
> |
| 62 |
> I think the reason is that OpenSSH 7.0 disables ssh-dss keys by default |
| 63 |
> https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html |
| 64 |
> |
| 65 |
> And and nxserver is using ssh-dss keys by default. |
| 66 |
> |
| 67 |
> I have to find a way a way to replace the ssh-dss key in: /etc/nxserver/ |
| 68 |
> with RSA one. |
| 69 |
> |
| 70 |
> Do I just run: ssh-keygen -t rsa |
| 71 |
> and copy the key pair to /etc/nxserver/ directory? |
| 72 |
> |
| 73 |
> -- |
| 74 |
> Thelma |
| 75 |
|
| 76 |
Since openssh-7.0 DSS keys are disabled and about time too! |
| 77 |
|
| 78 |
========================================================== |
| 79 |
if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 |
| 80 |
elog "Starting with openssh-7.0, support for ssh-dss keys were |
| 81 |
disabled due to their" |
| 82 |
elog "weak sizes. If you rely on these key types, you can re-enable |
| 83 |
the key types by" |
| 84 |
elog "adding to your sshd_config:" |
| 85 |
elog " PubkeyAcceptedKeyTypes=+ssh-dss" |
| 86 |
elog "You should however generate new keys using rsa or ed25519." |
| 87 |
fi |
| 88 |
========================================================== |
| 89 |
|
| 90 |
|
| 91 |
Also SHA1 hashes are disabled and you will get errors like these when you try |
| 92 |
to login to a server which is still using deprecated ciphers: |
| 93 |
|
| 94 |
Unable to negotiate with XXX.XX.XXX.X: no matching host key type found. Their |
| 95 |
offer: ssh-dss |
| 96 |
|
| 97 |
Unable to negotiate with XXX.XX.XXX.X: no matching key exchange method found. |
| 98 |
Their offer: diffie-hellman-group1-sha1 |
| 99 |
|
| 100 |
If this is within your LAN and therefore relatively protected, you could |
| 101 |
specify deprecated ciphers and hashes like so: |
| 102 |
|
| 103 |
ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss |
| 104 |
my_user@××××××.XXX.X |
| 105 |
|
| 106 |
|
| 107 |
Alternatively, after you create a strong prime: |
| 108 |
|
| 109 |
ssh-keygen -t rsa -b 4096 |
| 110 |
|
| 111 |
|
| 112 |
or probably better to use ed25519: |
| 113 |
|
| 114 |
ssh-keygen -t ed25519 |
| 115 |
|
| 116 |
HTH. |
| 117 |
-- |
| 118 |
Regards, |
| 119 |
Mick |
Archives