SUSE Support

Here When You Need Us

Passwordless SSH login to a remote server with DSA client public key keeps asking user for password

This document (000019837) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12

Situation

User uses her/his DSA SSH key to login to a remote server that has the user's DSA SSH public key listed as the permitted key (for example, in the user's ~/.ssh/authorized_keys file), but upon login, the user's authentication still fails.

It can be observed in the OpenSSH client session log a similar line:
debug1: Skipping ssh-dss key .ssh/id_dsa - corresponding algo not in PubkeyAcceptedAlgorithms


And on the remote OpenSSH server log it can be observed this similar line:

Dec 21 12:22:26 remotehost sshd[9463]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]

Resolution

WARNING:  OpenSSH 7.0 and greater disable the ssh-dss (DSA) public key algorithm. It is considered weak and is no longer recommended.  This document will cover how to re-enable it, if needed.  However, the best option is to switch to a different key type.  Strong algorithms such as rsa or ecdsa or ed25519 are preferred.  An rsa key will give you the greatest portability with other implementations of ssh client/server software, while ed25519 will get you the best security while using the OpenSSH implementation.

To re-enable ssh-dss (DSA):

On the remote SSH server using OpenSSH, modify /etc/ssh/sshd_config so 'PubkeyAcceptedKeyTypes' includes 'ssh-dss' to accept DSA keys (see sshd_config(5) man page for details):
PubkeyAcceptedKeyTypes=+ssh-dss


It is good to validate the sshd config and check the modified option:
 

/usr/sbin/sshd -t
An example:

/usr/sbin/sshd -T | grep pubkeyacceptedkeytypes
pubkeyacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa

And restart sshd:
 

systemctl restart sshd.service

The OpenSSH client might need to modify as well to allow usage of DSA SSH key; either do:

- modify `ssh' command line option to include

-oPubkeyAcceptedAlgorithms=+ssh-dss


- modify either system or user's ssh_config(5) (see the man page for details), to include:

PubkeyAcceptedAlgorithms=+ssh-dss

Cause

OpenSSH 7.0 and greater disable the ssh-dss (DSA) public key algorithm. It is considered weak and is not recommended to use.

Additional Information

  • https://www.openssh.com/txt/release-7.0
  • https://www.openssh.com/legacy.html
  • https://en.wikipedia.org/wiki/Digital_Signature_Algorithm
  • https://manpages.opensuse.org/Tumbleweed/openssh-server/sshd_config.5.en.html
  • https://manpages.opensuse.org/Tumbleweed/openssh-clients/ssh_config.5.en.html

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000019837
  • Creation Date: 19-Jan-2021
  • Modified Date:21-Dec-2023
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.