Re: fatal: Fssh_packet_write_poll: Connection from xxx.xxx.xx.xx port yyyyy: Permission denied

Tue, 22 Nov 2016 07:48:26 -0800 

On 2016-11-22 02:37, KIRIYAMA Kazuhiko wrote:
> Hi, all
> 
> I've updated to HEAD(r308871) at 2 days ago, and also ports
> too(r426562). Then all stuffs including applications have
> been updated and tried to slogin to this host,but can't
> connect with the message `userauth_pubkey: key type ssh-dss
> not in PubkeyAcceptedKeyTypes [preauth]' in
> /var/log/auth.log. I found new OpenSSH-7.* has not been
> supported DSA and to connect from client with old ssh(lower
> than OpenSSH-7.0),set `ssh-dss' or some values set to
> relevant variables in /etc/ssh/sshd_config. According to [1]
> and [2] I've set these variables as below:
> 
> PubkeyAcceptedKeyTypes=+ssh-dss
> HostKeyAlgorithms=+ssh-dss
> KexAlgorithms=+diffie-hellman-group-exchange-sha256
> 
> and successfully slogined:
> 

snip

> 
> And with the message `fatal: Fssh_packet_write_poll:
> Connection from xxx.xxx.xx.xx port yyyyy: Permission denied'
> in /var/log/auth.log:
> 
> 
> Nov 22 16:07:51 kx sshd[73878]: Accepted publickey for admin from 
> xxx.xxx.xx.xx port 64147 ssh2: DSA 
> SHA256:6uPsONRWeNkYjlj9BU4GZYUUeH60ZbUCB25jolvrvj8
> Nov 22 16:07:51 kx sshd[73880]: fatal: Fssh_packet_write_poll: Connection 
> from xxx.xxx.xx.xx port 64147: Permission denied
> 
> 
> Is there any suggesions?
> My environments are as follows:
> 
> - Server:
> 
> admin@kx:~ % uname -a
> FreeBSD kx.truefc.org 12.0-CURRENT FreeBSD 12.0-CURRENT #13 r308871M: Sun Nov 
> 20 15:51:21 JST 2016     ad...@kx.truefc.org:/usr/obj/usr/src/sys/XIJ  amd64
> admin@kx:~ % ssh -V
> OpenSSH_7.2p2, OpenSSL 1.0.2j-freebsd  26 Sep 2016
> admin@kx:~ % 
> 
> - Client:
> 
> kiri@kazu:~[995]% uname -a
> FreeBSD kazu.pis 9.2-STABLE FreeBSD 9.2-STABLE #5 r259404M: Mon Dec 16 
> 00:12:52 JST 2013     ad...@kazu.pis:/usr/obj/usr/src/sys/GENERIC  amd64
> kiri@kazu:~[996]% ssh -V
> OpenSSH_6.2p2, OpenSSL 0.9.8y 5 Feb 2013
> kiri@kazu:~[997]% 
> 
> 
> Best regards.
> 
> 
> [1] 
> https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
> [2] 
> https://lists.freebsd.org/pipermail/freebsd-current/2016-August/062853.html
> 
> ---
> KIRIYAMA Kazuhiko
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
> 


Newer versions of OpenSSH, like the one shipped in 11.0 and 12-current,
do not accept DSA keys anymore. You will need to use RSA keys, or the
newer ECDSA or ED25519 key types.

-- 
Allan Jude

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to