OpenSSH 7 and ssh-dss keys

Quick one, because it’s the type of thing I tend to forget easily. I recently upgraded a VM of mine from Ubuntu 14.04 LTS to 16.04 LTS. I mainly use the VM as an SSH Web Proxy for tunnelling traffic that I’d rather not originate from my machines IP, and also to get past some fairly arcane URL blocks. Ubuntu’s upgrade is quite neat in that it recognises you’re running the upgrade from a shell and splits the process out to a screen session for you lest you become disconnected for Reasons(tm).

That said, the upgrade went smoothly and without issue and my shell session remained connected and everything was fine for a few days.

It was only after shutting my laptop down and moving to a different network then reconnecting that I experienced the problem. My public key was rejected. My installation of SSH on this box is fairly tight, unusual port, restricted to a specific user, root login disabled, password auth disabled, public key mandatory … and I’m currently exploring the possibility of sticking Duo Two Factor authentication on it to save me having to VPN to a secure network first before accessing it … anyway … the error message that my key was rejected came as somewhat of a surprise and set alarm bells ringing. Had my little VM been burst?

A quick flick through /var/log/auth.log and I had my answer:

Oct  6 13:38:08 xxxxx sshd[12177]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]

That’s new. I’ve used this key for a while, and used a fairly solid randomiser to generate it but it seems that the guys at OpenSSH have decided otherwise, the following quote is from: http://www.openssh.com/txt/release-7.0

Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at http://www.openssh.com/legacy.html

Oh well. Thankfully it’s easily re-enabled, by adding the following line to the foot of your /etc/ssh/sshd_config:

PubkeyAcceptedKeyTypes=+ssh-dss

Onwards and upwards!

 

Leave a Reply

Your email address will not be published.