Can't specify ssh-dss for the host key algroithm

[realtimesw]

I have a legacy application that can only connect via SSH using a host key algorithm of ssh-dss. I have searched for a way to enable this algorithm in /etc/ssh/sshd_config but have not been able to get it to work.

I tried:
HostKeyAlgorithms ssh-dss
and
PubkeyAcceptedKeyTypes=+ssh-dss

But with these settings in place, the SSH service will not start and gives me a configuration error in the log. I am running CentOS 7.3 and OpenBSD ssh v1.93

Any assistance would be appreciated!

[avij]

Hmm.. To be clear, you are using the default sshd on CentOS 7.3 (newest is openssh-6.6.1p1-35.el7_3.x86_64), and you are connecting to it from OpenBSD using OpenBSD ssh v1.93? In short, what are you running on the client and the server?

As far as I know, openssh's sshd in CentOS should accept incoming ssh-dss keys by default. Do you get any errors in your /var/log/secure when you try to connect using a ssh-dss key?

[realtimesw]

Thanks for the reply

I am running default sshd that came with CentOS 7.3 - I just took the information off the top comment line of the sshd_config file

I am trying to connect to CentOS with a legacy Windows application that only supports ssh-dss. I can connect using ssh with putty and a another terminal emulation program that are both much newer so I know ssh is working.

in /var/log/secure I get this entry when I try to connect:
Apr 26 17:08:44 localhost sshd[7709]: Connection closed by xxx.xxx.xxx.xxx [preauth]

[TrevorH]

The PubkeyAcceptedKeyTypes keyword you used is not known in CentOS 7's openssh version. Since we have 6.6p1 and the doc that refers to that keyword says it's for 7.0 I presume it is a new addition in 7.0. On that page it has some ssh -Q commands to try and this is the (I think) interesting one

Code: Select all

[trevor@trevor4 tmp]$ rpm -q openssh
openssh-6.6.1p1-35.el7_3.x86_64
[trevor@trevor4 tmp]$ ssh -Q key
ssh-rsa
ssh-dss
ssh-ed25519
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ssh-rsa-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
ssh-rsa-cert-v00@openssh.com
ssh-dss-cert-v00@openssh.com
ssh-ed25519-cert-v01@openssh.com
null

[realtimesw]

Well that is interesting. I am running 6.6.1p1-33 which also shows it should support ssh-dss correct? At least it is showing in the list. OK this is is getting a bit odd...

[avij]

Apr 26 17:08:44 localhost sshd[7709]: Connection closed by xxx.xxx.xxx.xxx [preauth]

Well, that is brief.. Try setting LogLevel DEBUG in your /etc/ssh/sshd_config and run systemctl restart sshd.service to restart the daemon. Then try connecting again and see if you get any useful info in the log.

[TrevorH]

I am running 6.6.1p1-33

Means you haven't yum updated recently. The newer version came out on 12th April.

Do you have the ability to run ssh on the client? Does it say anything useful with ssh -vvv ?

Are you sure this host isn't so old that it only speaks Protocol 1? That _is_ disabled by default on CentOS 7.s sshd.

[TrevorH]

Or, another thought, your application hasn't stashed a copy of the server fingerprint that it thinks it's talking to and you've changed hosts to a CentOS 7 one with a different ssh host key?

[realtimesw]

I am running 6.6.1p1-33

Means you haven't yum updated recently. The newer version came out on 12th April.

Do you have the ability to run ssh on the client? Does it say anything useful with ssh -vvv ?

Are you sure this host isn't so old that it only speaks Protocol 1? That _is_ disabled by default on CentOS 7.s sshd.

I wonder if my whole issue revolves around support for Protocol 1. Is there a way to enable it to test connectivity?

[TrevorH]

I'm pretty sure your app has the ssh host key stashed away somewhere and it has changed when you switched your system to CentOS 7. I just used a scrap CentOS 7 VM to ssh to then as root on the system I sshed to, I moved /etc/ssh/*key* out of the way and restarted sshd to make it create new ones. Now I went back to the original host and ssh'ed to the el7 system with the newly generated host keys and it shouts about the key having changed and refuses to connect. However, in /var/log/secure on the el7 VM it has exactly the same failure message you get - "Apr 27 00:07:15 centos7 sshd[15664]: Connection closed by 192.168.x.x [preauth]"

What user does your app run as? Check if it has a home directory in /etc/passwd and if that home directory has a .ssh directory with a known_hosts file in it. If the CentOS 7 server is in that file and it has the wrong fingerprint saved then it will refuse to connect.