Share

Question

If you just upgraded Ubuntu 15.04/10 to Ubuntu 16.04 LTS (or otherwise upgraded OpenSSH from v6.9 to v7.0 you may be getting the ssh refusal because of changes in OpenSSH.

I was specifically getting this error in the /var/log/auth.log (via Webmin): sshd[2444]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth].

For this specific error, you need to add "PubkeyAcceptedKeyTypes=+ssh-dss" (without the quotations) to the bottom of your /etc/ssh/sshd_config file.

See: https://superuser.com/questions/1016989/ssh-dsa-keys-no-longer-work-for-password-less-authentication?lq=1

Answer 1

JonsJava April 27, 2016

Add a comment so I can heart it. Can't heart "Questions", which is what your comment shows up as. Good catch!

Reply

Answer 2

gparent April 27, 2016

As explained in that StackExchange question, the security of ssh-dss is disputed and it would be a wiser idea to generate one of the supported key types, like ssh-rsa or ssh-ed25519, rather than going against the software defaults.

Reply

gryphonitsolutions April 27, 2016

This at least gets your existing keys (and those who use them) back into production work during the interim of improved [newer] key [types]. Being completely locked out can be stressful.

For the debate of RSA vs DSS go here: https://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys
- gparent April 27, 2016
  
  It's worth reading the release notes of the release you plan to upgrade do before performing the upgrade as well, avoiding other surprises:
  
  Here they are
  
  gryphonitsolutions April 27, 2016
  
  Respectfully, that is superficial knowledge IMO. Until one actually performs the update one only has a theoretical/academic understanding of the potential outcome. The complexity of the dependency trees are too extreme for any single person to grasp straws at. Learning to ride bike is a good analogy; until you do, you know nothing.
  
  The true benefit of this discussion is getting everyone to update/change the ssh key type regardless if they update the LTS or not. Obviously this needs to be done BEFORE the Open v7.0 update. If not, at least a few people will have a chance to do so with the "legacy" option OpenSSH discusses.
  
  gparent April 27, 2016
  
  Respectfully, I linked directly to the section of the release notes dedicated to the OpenSSH 7.2 release. They link to upstream documentation that mentions changes for the configuration and additional troubleshooting commands, some of which were not mentioned at all in this thread. It applies specifically to the issue you mentioned.
  
  gryphonitsolutions April 27, 2016
  
  You mean this?
  
  http://www.openssh.com/legacy.html
  
  ssh -oHostKeyAlgorithms=+ssh-dss user@127.0.0.1
  
  gparent April 27, 2016
  
  That is what my hyperlink points to.
  
  There's also this: release-7.2 but it's not as direct.

Answer 3

gryphonitsolutions April 27, 2016

This at least gets your existing keys (and those who use them) back into production work during the interim of improved [newer] key [types]. Being completely locked out can be stressful.

For the debate of RSA vs DSS go here: https://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys
- gparent April 27, 2016
  
  It's worth reading the release notes of the release you plan to upgrade do before performing the upgrade as well, avoiding other surprises:
  
  Here they are
  
  gryphonitsolutions April 27, 2016
  
  Respectfully, that is superficial knowledge IMO. Until one actually performs the update one only has a theoretical/academic understanding of the potential outcome. The complexity of the dependency trees are too extreme for any single person to grasp straws at. Learning to ride bike is a good analogy; until you do, you know nothing.
  
  The true benefit of this discussion is getting everyone to update/change the ssh key type regardless if they update the LTS or not. Obviously this needs to be done BEFORE the Open v7.0 update. If not, at least a few people will have a chance to do so with the "legacy" option OpenSSH discusses.
  
  gparent April 27, 2016
  
  Respectfully, I linked directly to the section of the release notes dedicated to the OpenSSH 7.2 release. They link to upstream documentation that mentions changes for the configuration and additional troubleshooting commands, some of which were not mentioned at all in this thread. It applies specifically to the issue you mentioned.
  
  gryphonitsolutions April 27, 2016
  
  You mean this?
  
  http://www.openssh.com/legacy.html
  
  ssh -oHostKeyAlgorithms=+ssh-dss user@127.0.0.1
  
  gparent April 27, 2016
  
  That is what my hyperlink points to.
  
  There's also this: release-7.2 but it's not as direct.

ssh refused: sshd[2444]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]

Leave a Comment

Share

Share your Question

ssh refused: sshd[2444]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]

Leave a Comment

Related Questions

Almost there!

Report a Bug