ssh refused: sshd[2444]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]

April 27, 2016 56.1k views
Security Configuration Management Ubuntu 16.04
gryphonitsolutions
By:
gryphonitsolutions

If you just upgraded Ubuntu 15.04/10 to Ubuntu 16.04 LTS (or otherwise upgraded OpenSSH from v6.9 to v7.0 you may be getting the ssh refusal because of changes in OpenSSH.

I was specifically getting this error in the /var/log/auth.log (via Webmin): sshd[2444]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth].

For this specific error, you need to add "PubkeyAcceptedKeyTypes=+ssh-dss" (without the quotations) to the bottom of your /etc/ssh/sshd_config file.

See: https://superuser.com/questions/1016989/ssh-dsa-keys-no-longer-work-for-password-less-authentication?lq=1

Log In to Comment
2 Answers
JonsJava April 27, 2016

Add a comment so I can heart it. Can't heart "Questions", which is what your comment shows up as. Good catch!

Reply
gparent April 27, 2016

As explained in that StackExchange question, the security of ssh-dss is disputed and it would be a wiser idea to generate one of the supported key types, like ssh-rsa or ssh-ed25519, rather than going against the software defaults.

Reply
  • gryphonitsolutions April 27, 2016

    This at least gets your existing keys (and those who use them) back into production work during the interim of improved [newer] key [types]. Being completely locked out can be stressful.

    For the debate of RSA vs DSS go here: https://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys

    • gparent April 27, 2016

      It's worth reading the release notes of the release you plan to upgrade do before performing the upgrade as well, avoiding other surprises:

      Here they are

      • gryphonitsolutions April 27, 2016

        Respectfully, that is superficial knowledge IMO. Until one actually performs the update one only has a theoretical/academic understanding of the potential outcome. The complexity of the dependency trees are too extreme for any single person to grasp straws at. Learning to ride bike is a good analogy; until you do, you know nothing.

        The true benefit of this discussion is getting everyone to update/change the ssh key type regardless if they update the LTS or not. Obviously this needs to be done BEFORE the Open v7.0 update. If not, at least a few people will have a chance to do so with the "legacy" option OpenSSH discusses.

Have another answer? Share your knowledge.

Related Questions