On Saturday 14 Nov 2015 06:49:22 the...@sys-concept.com wrote: > Thelma > > On 11/13/2015 11:08 PM, the...@sys-concept.com wrote: > > I'm running: nxserver-freenx-0.7.3_p104-r7 > > After recent upgrade, system installed new stable openssh-7.1_p1-r2 > > > > The problem is the new openssh-7.1_p1-r2 will not allow my my "nxserver" > > to connect, I get an error: Permission denied > > (publickey,keyboard-interactive) see below: > > > > nxsetup --test > > ... > > <---- done > > > > ----> Testing your nxserver connection ... > > Permission denied (publickey,keyboard-interactive). > > Fatal error: Could not connect to NX Server. > > > > Please check your ssh setup: > > > > The following are _examples_ of what you might need to check. > > > > - Make sure "nx" is one of the AllowUsers in sshd_config. > > > > (or that the line is outcommented/not there) > > > > - Make sure "nx" is one of the AllowGroups in sshd_config. > > > > (or that the line is outcommented/not there) > > > > - Make sure your sshd allows public key authentication. > > - Make sure your sshd is really running on port 22. > > - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to > > authorized_keys2. > > > > (this should be a filename not a pathname+filename) > > > > - Make sure you allow ssh on localhost, this could come from some > > > > restriction of: > > -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost > > > > -the iptables. add to it: > > $ iptables -A INPUT -i lo -j ACCEPT > > $ iptables -A OUTPUT -o lo -j ACCEPT > > > > What I should be getting is this: > > ----> Testing your nxserver connection ... > > HELLO NXSERVER - Version 3.2.0-74-TEAMBZR104 OS (GPL, using backend: > > 3.5.0) NX> 105 quit > > Quit > > NX> 999 Bye > > <--- done > > > > I did not change anything in sshd_config. > > But I downgraded to: openssh-6.9_p1-r2 and nxserver connects OK. > > > > What could be the problem with new: openssh-7.1_p1-r2 > > I think the reason is that OpenSSH 7.0 disables ssh-dss keys by default > https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html > > And and nxserver is using ssh-dss keys by default. > > I have to find a way a way to replace the ssh-dss key in: /etc/nxserver/ > with RSA one. > > Do I just run: ssh-keygen -t rsa > and copy the key pair to /etc/nxserver/ directory? > > -- > Thelma
Since openssh-7.0 DSS keys are disabled and about time too!
==========================================================
if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388
elog "Starting with openssh-7.0, support for ssh-dss keys were
disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable
the key types by"
elog "adding to your sshd_config:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
fi
==========================================================
Also SHA1 hashes are disabled and you will get errors like these when you try
to login to a server which is still using deprecated ciphers:
Unable to negotiate with XXX.XX.XXX.X: no matching host key type found. Their
offer: ssh-dss
Unable to negotiate with XXX.XX.XXX.X: no matching key exchange method found.
Their offer: diffie-hellman-group1-sha1
If this is within your LAN and therefore relatively protected, you could
specify deprecated ciphers and hashes like so:
ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss
my_u...@xxx.xx.xxx.X
Alternatively, after you create a strong prime:
ssh-keygen -t rsa -b 4096
or probably better to use ed25519:
ssh-keygen -t ed25519
HTH.
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
