OPNsense Forum

English Forums => General Discussion => Topic started by: Joe on December 17, 2015, 09:19:17 pm

Title: [SOLVED] DSA keys not accepted in ssh?
Post by: Joe on December 17, 2015, 09:19:17 pm

Hello,

I cant login to opnsense via ssh because of:

   userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]

have I missed some important weakness of DSA algorithm?

Title: Re: DSA keys not accepted in ssh?
Post by: franco on December 22, 2015, 08:33:52 am

Kind of. OpenSSH 7.0 deprecated DSA, it must be enabled in the config which at this point changed the behaviour of our implementation. There's no way to reenable DSA (ssh-dss) other than reworking the config write in the file /usr/local/etc/rc.sshd (which is lost on firmware updates). Feel free to send a feature request through GitHub, key selection might be of interest if there really is no alternative to migrating away from DSA keys.

http://www.openssh.com/legacy.html

Title: Re: DSA keys not accepted in ssh?
Post by: Joe on December 25, 2015, 12:49:16 pm

Thanks for the info.

It appears that DSA keys are inherently insecure, so it's better not to activate them.

Title: Re: [SOLVED] DSA keys not accepted in ssh?
Post by: franco on December 25, 2015, 02:46:58 pm

Okay, sounds good. :)