Mageia forum

[mla]

I've just installed Mageia6 and I am seeing two problems -- one serious, one just irritating. So, one at a time, here's the serious one.

Despite the fact the contents or permissions on my .ssh sub-directory have not changed at all and my uid/gid have no changed either, ssh both to and from this newly installed instance ignores public key authorisation via the authorized_keys files ( remote one for ssh-ing out, local one for ssh-ing in) and askk for the login password.

Having had a look at config files in /etc/ssh on both Mageia 5 and Mageia 6 installations, I don't see anything obvious (though it must be said, they are not easy to compare!). Google does not suggest anything either -- not to my naive eye, anyway.

So what gives? It's more than a nuisance, it's a serious problem for me.

[unklar]

And, what is the error message in the terminal?

[mla]

There is no error message. There is a prompt for password. If the correct password is supplied, ssh connection is established. All is normal, except that the public key authorization is apparently ignored.

[doktor5000]

There is surely some output if you do ssh -vvv on the client and on the server you can start sshd -ddd to see what the server says about the connection attempt.

[mla]

Um... [blush].. true, oh effendi!

When ssh-ing into Mag6, ssh -vvv shows that the key is sent, but then ssh proceeds checking for presence of other key types, so presumably the key has been rejected.

On Mag6 sshd -ddd shows why: "userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]". There is no reference to PubkeyAcceptedKeyTypes anywhere in /etc/ssh. However, armed with that message, I find that OpenSSH by default no longer accepts dss keys. So I have to regenerate all my keys and modify all my authorized_keys files. That's a pain!

There is a pro tem workaround of adding on Mageia 6 "PubkeyAcceptedKeyTypes=+ssh-dss" to both /etc/ssh/sshd_config and to .ssh/config

Have tried it and it works. Thanks (as ever!) for your help in sticking my nose into the obvious. I'll change the thread title appropriately.

[mark9117]

Not trying to resurrect this thread, but I would like to chime in with a "me too". I added "PubkeyAcceptedKeyTypes=+ssh-dss" to the /etc/ssh/sshd_config file and it resolved the issue for me. I couldn't find the .ssh/sshd_config file that you referred to, but I'm back in action and happy about it.

Thanks for documenting all that!

[mla]

It's ~/.ssh/config and it is optional. You will need it to add to PubkeyAcceptedTypes if you need to ssh *out* of Mag6 with a dss key.

Be aware, though, that this is just a temporary workaround. The use of dss will be dropped altogether at some future time. I am in the process of replacing all my dss keys.

[doktor5000]

This is already quite old, have a look at http://www.openssh.com/legacy.html
You should really replace your DSA keys.

[mark9117]

Yeah, I hear you. It shouldn't be that hard. I'll make that a project for next week.

Edit: wasn't hard at all. Generated the keys and distributed them among my machines, then disabled dsa keys in sshd_config. It's all good now.

[dglent]

Thanks, i have just installed mga6 and i had the following error messages

svn: E170013: Unable to connect to a repository at URL 'svn+ssh://svn.mageia.org/svn/packages/cauldron/xxx'
svn: E210002: To better debug SSH connection problems, remove the -q option from 'ssh' in the [tunnels] section of your Subversion configuration file.
svn: E210002: Network connection closed unexpectedly

I've just added the line

Code: Select all

PubkeyAcceptedKeyTypes=+ssh-dss

in the file .ssh/config

with success

[mla]

Yes, but that will break again once dss support is withdrawn altogether, which is supposed to be in a not too distant future. Regenerating your keys now is easier than having to scratch your head again once that happens.

[dglent]

I have tried to create rsa keys without success (same messages)

[mla]

Worked for me. Did you remember to change the authorized_keys file at the other end?

[dglent]

I didn't have any authorized_keys and i created with

Code: Select all

ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa
cat /.ssh/id_dsa.pub >> ~/.ssh/authorized_keys

found here: https://unix.stackexchange.com/question ... a-password

[mla]

Well, putting your *dsa* public key (which is what you code fragment shows) into authorized_keys isn't going to help. But the authorized_keys file needs to be at the other end -- in ~/.ssh on the machine being called.

[dglent]

Ah ok, actually i wanted to checkout a package with mgarepo

[doktor5000]

You would need to update your public key via https://identity.mageia.org/

[dglent]

You have right thanks

[dglent]

I don't know if it is related but now i cannot send translations to git:

Code: Select all

dglent@localhost po (master)]$ git push -v
Pushing to ssh://git@git.mageia.org/software/manatools
Password:
Password:
Password:
Permission denied (publickey,keyboard-interactive).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

[doktor5000]

Well, does the new key work at all, can you commit to SVN, e.g. to the null package? Did you update your ~/.ssh/config if you had something related to Mageia in there?

You may need to ask our sysadmins about that, either via IRC or via mailing list.