upgraded to F23 and ssh keys become useless
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 7 of 7
  1. #1
    Join Date
    May 2015
    Location
    Thane
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    upgraded to F23 and ssh key stop working

    i upgrade my fedora installed on laptop from 22 to 23 through dnf .

    but i m not able to connect to remote server with ssh key .

    when i use ssh key to access server it ask key passphrase after that to ask me for password of user .

    if i user same key on my colleagues laptop, having ububtu. i can able to login through ssh key . same key was working on fedora 22 .

    any idea what is issue ?
    Last edited by ankit360; 6th November 2015 at 06:57 PM.

  2. #2
    Join Date
    Mar 2011
    Location
    /
    Posts
    5,258
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: upgraded to F23 and ssh keys become useless

    Have you already checked the permissions of the folder and the key files themselves?

  3. #3
    Join Date
    Apr 2006
    Posts
    34
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: upgraded to F23 and ssh keys become useless

    To fix my ssh problem I had to change the key. The old key was generated by

    ssh-keygen -t dsa

    ssh no longer uses dsa so another type of key must be used, for example

    ssh-keygen -t ecdsa

    When the old key was removed and the new key uploaded, ssh started working again. I found this solution google-searching for "fedora 23 ssh key dsa".

  4. #4
    Join Date
    May 2015
    Location
    Thane
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: upgraded to F23 and ssh keys become useless

    making new key and adding it to remote server is not good solution as i have lots of server without password

  5. #5
    Join Date
    May 2015
    Location
    Thane
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: upgraded to F23 and ssh keys become useless

    here is the log

    [ankit@a360-lan ~]$ ssh -vvv -i key/id_dsa root@xyz
    OpenSSH_7.1p1, OpenSSL 1.0.2d-fips 9 Jul 2015
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 56: Applying options for *
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to xyz [x.x.x.x] port 22.
    debug1: Connection established.
    debug1: key_load_public: No such file or directory
    debug1: identity file key/id_dsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file key/id_dsa-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_7.1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
    debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
    debug2: fd 3 setting O_NONBLOCK
    debug1: Authenticating to xyz:22 as 'root'
    debug3: hostkeys_foreach: reading file "/home/ankit/.ssh/known_hosts"
    debug3: record_hostkey: found key type RSA in file /home/ankit/.ssh/known_hosts:4
    debug3: load_hostkeys: loaded 1 keys from xyz
    debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
    debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa...01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
    debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128...lysator.liu.se
    debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128...lysator.liu.se
    debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm...60@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm...60@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@openssh.com
    debug2: kex_parse_kexinit: none,zlib@openssh.com
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug1: kex: server->client aes128-ctr umac-64@openssh.com none
    debug1: kex: client->server aes128-ctr umac-64@openssh.com none
    debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16
    debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
    debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
    debug2: bits set: 1554/3072
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Server host key: ssh-rsa SHA256:tUTGsWoEsR2aZ0jgEX0Wpt7ug5mMv3j+E/ytcHvM1DE
    debug3: hostkeys_foreach: reading file "/home/ankit/.ssh/known_hosts"
    debug3: record_hostkey: found key type RSA in file /home/ankit/.ssh/known_hosts:4
    debug3: load_hostkeys: loaded 1 keys from xyz
    debug3: hostkeys_foreach: reading file "/home/ankit/.ssh/known_hosts"
    debug3: record_hostkey: found key type RSA in file /home/ankit/.ssh/known_hosts:4
    debug3: load_hostkeys: loaded 1 keys from 203.153.40.51
    debug1: Host 'xyz'' is known and matches the RSA host key.
    debug1: Found key in /home/ankit/.ssh/known_hosts:4
    debug2: bits set: 1482/3072
    debug2: set_newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug2: set_newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug2: key: ankit@a360-lan (0x55fce31ed500),
    debug2: key: key/id_dsa ((nil)), explicit
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
    debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
    debug3: authmethod_lookup gssapi-keyex
    debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
    debug3: authmethod_is_enabled gssapi-keyex
    debug1: Next authentication method: gssapi-keyex
    debug1: No valid Key exchange context
    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup gssapi-with-mic
    debug3: remaining preferred: publickey,keyboard-interactive,password
    debug3: authmethod_is_enabled gssapi-with-mic
    debug1: Next authentication method: gssapi-with-mic
    debug1: Unspecified GSS failure. Minor code may provide more information
    No Kerberos credentials available

    debug1: Unspecified GSS failure. Minor code may provide more information
    No Kerberos credentials available

    debug1: Unspecified GSS failure. Minor code may provide more information


    debug1: Unspecified GSS failure. Minor code may provide more information
    No Kerberos credentials available

    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup publickey
    debug3: remaining preferred: keyboard-interactive,password
    debug3: authmethod_is_enabled publickey
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: ankit@a360-lan
    debug3: send_pubkey_test
    debug2: we sent a publickey packet, wait for reply
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    debug1: Trying private key: key/id_dsa
    Enter passphrase for key 'key/id_dsa':
    debug1: Skipping ssh-dss key key/id_dsa for not in PubkeyAcceptedKeyTypes
    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup password
    debug3: remaining preferred: ,password
    debug3: authmethod_is_enabled password
    debug1: Next authentication method: password
    root@xyz's password:

  6. #6
    Join Date
    May 2015
    Location
    Thane
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: upgraded to F23 and ssh keys become useless

    found solution openssh 7 stop dsa key authentication

    you can enable it through by adding following parameters in ~/.ssh/config file


    PubkeyAcceptedKeyTypes=+ssh-dss

  7. #7
    Join Date
    Apr 2006
    Posts
    20
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: upgraded to F23 and ssh keys become useless

    Quote Originally Posted by jvinla
    To fix my ssh problem I had to change the key. The old key was generated by

    ssh-keygen -t dsa

    ssh no longer uses dsa so another type of key must be used, for example

    ssh-keygen -t ecdsa

    When the old key was removed and the new key uploaded, ssh started working again. I found this solution google-searching for "fedora 23 ssh key dsa".
    I just wanted to note that ECDSA appears to be an unideal choice for replacement key format, since gnome-keyring-daemon unfortunately doesn't pick up $HOME/.ssh/id_ecdsa files. That means that any keys using that format won't be automatically unlocked and added to its ssh-agent at login, the same way that DSA or RSA keys would be.

    The proper replacement format for any lingering DSA keys would seem to be RSA (the default for ssh-keygen). However, I have one machine which is failing to successfully authenticate using its RSA keys, since it was upgraded to F23. I still haven't figured out exactly why, at this point, but it seems I'm not alone.

Similar Threads

  1. live_ram: ok on esata/ssd keys, not working on older usb keys
    By livecdOrNothing in forum Installation, Upgrades and Live Media
    Replies: 1
    Last Post: 7th November 2012, 11:31 PM
  2. Replies: 0
    Last Post: 16th July 2008, 01:28 AM
  3. Replies: 12
    Last Post: 16th June 2008, 11:21 PM
  4. Keys not mapped correctly & missing keys.
    By we6jbo in forum Hardware
    Replies: 0
    Last Post: 12th September 2007, 10:10 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •