DSA Key Not Accepted On CentOS Even After Enabling
Hello, I have some users that connect to a server with their DSA key that is of type ssh-dss. I’m migrating (installing as new) the server where they connect to CentOS 8
+ updates. I was not able to connect with the keys to this new server even after having added, as found in several internet pages, this directive at the end of /etc/ssh/sshd_config of the CentOS 8 server:
# Accept also DSA keys PubkeyAcceptedKeyTypes=+ssh-dss
and systemctl restart sshd
I kept getting in journal the message:
userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]
I saw that the sshd process had started with the option
… -oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256, ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384, ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521, ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519, ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
So I found the unit file for sshd that refers to /etc/crypto-policies/back-ends/opensshserver.config In the mean time I was able to reach my target going and editing the
/etc/sysconfig/sshd file adding the whole line obtained from the above and adding ssh-dss
CRYPTO_POLICY=’-oCiphers
2 thoughts on - DSA Key Not Accepted On CentOS Even After Enabling
PubkeyAcceptedKeyTypes=+ssh-dss
You also need that ^^ in their client if they are running on el8 machine as well .. i needed to put it in my ~/.ssh/config when connecting FROM
an el8 machine to somewhere else.
Il Gio 17 Ott 2019, 18:15 Johnny Hughes ha scritto:
Yes, true. Thanks for noticing, Johnny. It’s not my case in this particular situation, but I have already done it on my Fedora 30 client in another context. Gianluca