[SLL] Anybody know why my Ubuntu sshd server isn't taking my DSA public key?
Xeno Campanoli
xcampanoli at gmail.com
Tue May 20 15:07:25 PDT 2008
Jarod Wilson wrote:
> On Tue, 2008-05-20 at 14:12 -0700, Xeno Campanoli wrote:
>> Jarod Wilson wrote:
>>> On Tue, 2008-05-20 at 16:38 -0400, Jarod Wilson wrote:
>>>> On Tue, 2008-05-20 at 13:30 -0700, Xeno Campanoli wrote:
>>>>> I'm able to log in to my CentOS server using a DSA public key and no
>>>>> password. It has version:
>>>>>
>>>>> OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
>>>>>
>>>>> but my Ubuntu server, which is Hardy, and has:
>>>>>
>>>>> OpenSSH_4.7p1 Debian-8ubuntu1.1, OpenSSL 0.9.8g 19 Oct 2007
>>>>>
>>>>> isn't taking the thing. In both cases I insert the key to the
>>>>> .ssh/authorized_keys file using vim, and for the Ubuntu/Hardy I get
>>>>> prompted for a password. Go figure that. ???
>>>> Probably ssh daemon configuration differences.
>>>>
>>>> man sshd_config
>>> And/or what Bill said. Thought of that 3 seconds after hitting send, but
>>> he beat me to it.
>>>
>>> Also, for the record, DSA is somewhat frowned upon by those in the
>>> security world, RSA is highly preferred.
>>>
>>>
>> Okay, well it looks like it's a problem with DSA alright. RSA works on
>> the same host relationship but the old DSA didn't. I made a new DSA
>> key-pair and that works too. I'll have to go read up on when or if DSA
>> is even recommended at all anymore. At any rate, they do allow new ones
>> to work.
>
> This original DSA cert wasn't by chance generated on an Ubuntu or
> Debian system in the last 2 years and prior to say, last week's gaping
> hole discovered in Debian and derivatives openssl, was it? I think
> Ubuntu pushed something to check for bunk keys and reject them.
>
>> Funny how I never got the security update on CentOS. I guess
>> that's a feature of their "enterprise" quality system.
>
> I suppose to be a good citizen, perhaps RHEL and CentOS could stand to
> do the same bunk key checks, but lets not slam CentOS for Debian's
> screw-up, mmmkay?
>
>
I guess I stand corrected. Yes, it was on my Ubuntu machine from less
than three months ago that generated the key. Oh well. That's not the
first time this week being too quickly flippant has been to my ill.
Excuse me.
;^)
xc
More information about the linux-list
mailing list