Mageia forum

I've just installed Mageia6 and I am seeing two problems -- one serious, one just irritating. So, one at a time, here's the serious one.

Despite the fact the contents or permissions on my .ssh sub-directory have not changed at all and my uid/gid have no changed either, ssh both to and from this newly installed instance ignores public key authorisation via the authorized_keys files ( remote one for ssh-ing out, local one for ssh-ing in) and askk for the login password.

Having had a look at config files in /etc/ssh on both Mageia 5 and Mageia 6 installations, I don't see anything obvious (though it must be said, they are not easy to compare!). Google does not suggest anything either -- not to my naive eye, anyway.

So what gives? It's more than a nuisance, it's a serious problem for me.

And, what is the error message in the terminal?

There is no error message. There is a prompt for password. If the correct password is supplied, ssh connection is established. All is normal, except that the public key authorization is apparently ignored.

There is surely some output if you do ssh -vvv on the client and on the server you can start sshd -ddd to see what the server says about the connection attempt.

Um... [blush].. true, oh effendi!

When ssh-ing into Mag6, ssh -vvv shows that the key is sent, but then ssh proceeds checking for presence of other key types, so presumably the key has been rejected.

On Mag6 sshd -ddd shows why: "userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]". There is no reference to PubkeyAcceptedKeyTypes anywhere in /etc/ssh. However, armed with that message, I find that OpenSSH by default no longer accepts dss keys. So I have to regenerate all my keys and modify all my authorized_keys files. That's a pain!

There is a pro tem workaround of adding on Mageia 6 "PubkeyAcceptedKeyTypes=+ssh-dss" to both /etc/ssh/sshd_config and to .ssh/config

Have tried it and it works. Thanks (as ever!) for your help in sticking my nose into the obvious. I'll change the thread title appropriately.

Not trying to resurrect this thread, but I would like to chime in with a "me too". I added "PubkeyAcceptedKeyTypes=+ssh-dss" to the /etc/ssh/sshd_config file and it resolved the issue for me. I couldn't find the .ssh/sshd_config file that you referred to, but I'm back in action and happy about it.

Thanks for documenting all that!

It's ~/.ssh/config and it is optional. You will need it to add to PubkeyAcceptedTypes if you need to ssh *out* of Mag6 with a dss key.

Be aware, though, that this is just a temporary workaround. The use of dss will be dropped altogether at some future time. I am in the process of replacing all my dss keys.

This is already quite old, have a look at http://www.openssh.com/legacy.html
You should really replace your DSA keys.

Yeah, I hear you. It shouldn't be that hard. I'll make that a project for next week.

Edit: wasn't hard at all. Generated the keys and distributed them among my machines, then disabled dsa keys in sshd_config. It's all good now.

Thanks, i have just installed mga6 and i had the following error messages

svn: E170013: Unable to connect to a repository at URL 'svn+ssh://svn.mageia.org/svn/packages/cauldron/xxx'
svn: E210002: To better debug SSH connection problems, remove the -q option from 'ssh' in the [tunnels] section of your Subversion configuration file.
svn: E210002: Network connection closed unexpectedly

I've just added the line

Code: Select all

PubkeyAcceptedKeyTypes=+ssh-dss

in the file .ssh/config

with success

Yes, but that will break again once dss support is withdrawn altogether, which is supposed to be in a not too distant future. Regenerating your keys now is easier than having to scratch your head again once that happens.

I have tried to create rsa keys without success (same messages)

Worked for me. Did you remember to change the authorized_keys file at the other end?

I didn't have any authorized_keys and i created with

Code: Select all

ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa
cat /.ssh/id_dsa.pub >> ~/.ssh/authorized_keys

found here: https://unix.stackexchange.com/question ... a-password

Well, putting your *dsa* public key (which is what you code fragment shows) into authorized_keys isn't going to help. But the authorized_keys file needs to be at the other end -- in ~/.ssh on the machine being called.

Ah ok, actually i wanted to checkout a package with mgarepo

You would need to update your public key via https://identity.mageia.org/

You have right thanks

I don't know if it is related but now i cannot send translations to git:

Code: Select all

dglent@localhost po (master)]$ git push -v
Pushing to ssh://git@git.mageia.org/software/manatools
Password:
Password:
Password:
Permission denied (publickey,keyboard-interactive).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Well, does the new key work at all, can you commit to SVN, e.g. to the null package? Did you update your ~/.ssh/config if you had something related to Mageia in there?

You may need to ask our sysadmins about that, either via IRC or via mailing list.