| 1 |
On 11/14/2015 04:11 AM, Mick wrote: |
| 2 |
[snip] |
| 3 |
> |
| 4 |
> Since openssh-7.0 DSS keys are disabled and about time too! |
| 5 |
> |
| 6 |
> ========================================================== |
| 7 |
> if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 |
| 8 |
> elog "Starting with openssh-7.0, support for ssh-dss keys were |
| 9 |
> disabled due to their" |
| 10 |
> elog "weak sizes. If you rely on these key types, you can re-enable |
| 11 |
> the key types by" |
| 12 |
> elog "adding to your sshd_config:" |
| 13 |
> elog " PubkeyAcceptedKeyTypes=+ssh-dss" |
| 14 |
> elog "You should however generate new keys using rsa or ed25519." |
| 15 |
> fi |
| 16 |
> ========================================================== |
| 17 |
> |
| 18 |
> |
| 19 |
> Also SHA1 hashes are disabled and you will get errors like these when you try |
| 20 |
> to login to a server which is still using deprecated ciphers: |
| 21 |
> |
| 22 |
> Unable to negotiate with XXX.XX.XXX.X: no matching host key type found. Their |
| 23 |
> offer: ssh-dss |
| 24 |
> |
| 25 |
> Unable to negotiate with XXX.XX.XXX.X: no matching key exchange method found. |
| 26 |
> Their offer: diffie-hellman-group1-sha1 |
| 27 |
> |
| 28 |
> If this is within your LAN and therefore relatively protected, you could |
| 29 |
> specify deprecated ciphers and hashes like so: |
| 30 |
> |
| 31 |
> ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss |
| 32 |
> my_user@××××××.XXX.X |
| 33 |
> |
| 34 |
> |
| 35 |
> Alternatively, after you create a strong prime: |
| 36 |
> |
| 37 |
> ssh-keygen -t rsa -b 4096 |
| 38 |
> |
| 39 |
> |
| 40 |
> or probably better to use ed25519: |
| 41 |
> |
| 42 |
> ssh-keygen -t ed25519 |
| 43 |
> |
| 44 |
> HTH. |
| 45 |
|
| 46 |
The only software that uses ssh-dss key and I need is nxserver. |
| 47 |
|
| 48 |
I just added a line to my: sshd_config |
| 49 |
PubkeyAcceptedKeyTypes=+ssh-dss |
| 50 |
|
| 51 |
restarted "sshd and nxserver" but I nxserver still doesn't work, |
| 52 |
running: nxsetup --test (I get): |
| 53 |
|
| 54 |
----> Testing your nxserver connection ... |
| 55 |
Permission denied (publickey,password,keyboard-interactive). |
| 56 |
Fatal error: Could not connect to NX Server. |
| 57 |
|
| 58 |
-- |
| 59 |
Thelma |
Archives