[SLL] Anybody know why my Ubuntu sshd server isn't taking my DSA public key?

[Jarod Wilson]

On Tue, 2008-05-20 at 14:12 -0700, Xeno Campanoli wrote:
> Jarod Wilson wrote:
> > On Tue, 2008-05-20 at 16:38 -0400, Jarod Wilson wrote:
> >> On Tue, 2008-05-20 at 13:30 -0700, Xeno Campanoli wrote:
> >>> I'm able to log in to my CentOS server using a DSA public key and no 
> >>> password.  It has version:
> >>>
> >>> OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
> >>>
> >>> but my Ubuntu server, which is Hardy, and has:
> >>>
> >>> OpenSSH_4.7p1 Debian-8ubuntu1.1, OpenSSL 0.9.8g 19 Oct 2007
> >>>
> >>> isn't taking the thing.  In both cases I insert the key to the 
> >>> .ssh/authorized_keys file using vim, and for the Ubuntu/Hardy I get 
> >>> prompted for a password.  Go figure that.  ???
> >> Probably ssh daemon configuration differences.
> >>
> >> man sshd_config
> > 
> > And/or what Bill said. Thought of that 3 seconds after hitting send, but
> > he beat me to it.
> > 
> > Also, for the record, DSA is somewhat frowned upon by those in the
> > security world, RSA is highly preferred.
> > 
> > 
> Okay, well it looks like it's a problem with DSA alright.  RSA works on 
> the same host relationship but the old DSA didn't.  I made a new DSA 
> key-pair and that works too.  I'll have to go read up on when or if DSA 
> is even recommended at all anymore.  At any rate, they do allow new ones 
> to work.

This original DSA cert wasn't by chance generated on an Ubuntu or
Debian system in the last 2 years and prior to say, last week's gaping
hole discovered in Debian and derivatives openssl, was it? I think
Ubuntu pushed something to check for bunk keys and reject them.

> Funny how I never got the security update on CentOS.  I guess 
> that's a feature of their "enterprise" quality system.

I suppose to be a good citizen, perhaps RHEL and CentOS could stand to
do the same bunk key checks, but lets not slam CentOS for Debian's
screw-up, mmmkay?


-- 
Jarod Wilson
jarod at wilsonet.com