ssh refused: sshd[2444]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]

April 27, 2016 10.5k views
Security Configuration Management Ubuntu 16.04

If you just upgraded Ubuntu 15.04/10 to Ubuntu 16.04 LTS (or otherwise upgraded OpenSSH from v6.9 to v7.0 you may be getting the ssh refusal because of changes in OpenSSH.

I was specifically getting this error in the /var/log/auth.log (via Webmin): sshd[2444]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth].

For this specific error, you need to add "PubkeyAcceptedKeyTypes=+ssh-dss" (without the quotations) to the bottom of your /etc/ssh/sshd_config file.


2 Answers

Add a comment so I can heart it. Can't heart "Questions", which is what your comment shows up as. Good catch!

As explained in that StackExchange question, the security of ssh-dss is disputed and it would be a wiser idea to generate one of the supported key types, like ssh-rsa or ssh-ed25519, rather than going against the software defaults.

  • This at least gets your existing keys (and those who use them) back into production work during the interim of improved [newer] key [types]. Being completely locked out can be stressful.

    For the debate of RSA vs DSS go here:

    • It's worth reading the release notes of the release you plan to upgrade do before performing the upgrade as well, avoiding other surprises:

      Here they are

      • Respectfully, that is superficial knowledge IMO. Until one actually performs the update one only has a theoretical/academic understanding of the potential outcome. The complexity of the dependency trees are too extreme for any single person to grasp straws at. Learning to ride bike is a good analogy; until you do, you know nothing.

        The true benefit of this discussion is getting everyone to update/change the ssh key type regardless if they update the LTS or not. Obviously this needs to be done BEFORE the Open v7.0 update. If not, at least a few people will have a chance to do so with the "legacy" option OpenSSH discusses.

Have another answer? Share your knowledge.