On Saturday 14 Nov 2015 06:49:22 thelma@sys-concept.com wrote: > Thelma > > On 11/13/2015 11:08 PM, thelma@sys-concept.com wrote: > > I'm running: nxserver-freenx-0.7.3_p104-r7 > > After recent upgrade, system installed new stable openssh-7.1_p1-r2 > > > > The problem is the new openssh-7.1_p1-r2 will not allow my my "nxserver" > > to connect, I get an error: Permission denied > > (publickey,keyboard-interactive) see below: > > > > nxsetup --test > > ... > > <---- done > > > > ----> Testing your nxserver connection ... > > Permission denied (publickey,keyboard-interactive). > > Fatal error: Could not connect to NX Server. > > > > Please check your ssh setup: > > > > The following are _examples_ of what you might need to check. > > > > - Make sure "nx" is one of the AllowUsers in sshd_config. > > > > (or that the line is outcommented/not there) > > > > - Make sure "nx" is one of the AllowGroups in sshd_config. > > > > (or that the line is outcommented/not there) > > > > - Make sure your sshd allows public key authentication. > > - Make sure your sshd is really running on port 22. > > - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to > > authorized_keys2. > > > > (this should be a filename not a pathname+filename) > > > > - Make sure you allow ssh on localhost, this could come from some > > > > restriction of: > > -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost > > > > -the iptables. add to it: > > $ iptables -A INPUT -i lo -j ACCEPT > > $ iptables -A OUTPUT -o lo -j ACCEPT > > > > What I should be getting is this: > > ----> Testing your nxserver connection ... > > HELLO NXSERVER - Version 3.2.0-74-TEAMBZR104 OS (GPL, using backend: > > 3.5.0) NX> 105 quit > > Quit > > NX> 999 Bye > > <--- done > > > > I did not change anything in sshd_config. > > But I downgraded to: openssh-6.9_p1-r2 and nxserver connects OK. > > > > What could be the problem with new: openssh-7.1_p1-r2 > > I think the reason is that OpenSSH 7.0 disables ssh-dss keys by default > https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html > > And and nxserver is using ssh-dss keys by default. > > I have to find a way a way to replace the ssh-dss key in: /etc/nxserver/ > with RSA one. > > Do I just run: ssh-keygen -t rsa > and copy the key pair to /etc/nxserver/ directory? > > -- > Thelma Since openssh-7.0 DSS keys are disabled and about time too! ========================================================== if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" elog "weak sizes. If you rely on these key types, you can re-enable the key types by" elog "adding to your sshd_config:" elog " PubkeyAcceptedKeyTypes=+ssh-dss" elog "You should however generate new keys using rsa or ed25519." fi ========================================================== Also SHA1 hashes are disabled and you will get errors like these when you try to login to a server which is still using deprecated ciphers: Unable to negotiate with XXX.XX.XXX.X: no matching host key type found. Their offer: ssh-dss Unable to negotiate with XXX.XX.XXX.X: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 If this is within your LAN and therefore relatively protected, you could specify deprecated ciphers and hashes like so: ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss my_user@XXX.XX.XXX.X Alternatively, after you create a strong prime: ssh-keygen -t rsa -b 4096 or probably better to use ed25519: ssh-keygen -t ed25519 HTH. -- Regards, Mick