From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id C2F8B1384B4 for ; Sat, 14 Nov 2015 11:11:25 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D738921C0B9; Sat, 14 Nov 2015 11:11:15 +0000 (UTC) Received: from mail-wm0-f52.google.com (mail-wm0-f52.google.com [74.125.82.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 88BE621C0AF for ; Sat, 14 Nov 2015 11:11:14 +0000 (UTC) Received: by wmdw130 with SMTP id w130so58166846wmd.0 for ; Sat, 14 Nov 2015 03:11:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=vl1oemxB4CPQSao1pLLIFWuAxFyUQ1HkBKpnwmbozrU=; b=s8TBDFADSXvCWCHSt1jlecoi6Z6XLoQQnpFJzZAbVQmaxS/552y8uvLZ/D4x3O++Zg IFzHhZdAXRUna+wgt5dCYH9a8ZLzTpCGH6GusYEL2PeZ7J9mkHw8Ib/sSnpws7mRJ9Tm WAaMW6hpXl9wIdqym1b0DWUceuCqufVRFr6tG5/UZCM/m2TOzrEiF3VriUdv9zsrD3mw RJj3m3LTRq3udWIGz+fqWY6XYWKhE+sEgLQwGsFm8hO4+jAxQAAhQqPPWJljFesTytPG 6i5L0y+2mTeDmIwGi+ahuLLKh8952ESQ/To1033afQXmpdbiPTw8XuU9CiPr7qOJX6o/ 0DMQ== X-Received: by 10.28.55.209 with SMTP id e200mr8250228wma.79.1447499473256; Sat, 14 Nov 2015 03:11:13 -0800 (PST) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by smtp.gmail.com with ESMTPSA id d2sm1972831wjy.16.2015.11.14.03.11.12 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 14 Nov 2015 03:11:12 -0800 (PST) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect Date: Sat, 14 Nov 2015 11:11:17 +0000 User-Agent: KMail/1.13.7 (Linux/4.1.12-gentoo; KDE/4.14.8; x86_64; ; ) References: <5646CFD7.9030708@sys-concept.com> <5646D972.4010300@sys-concept.com> In-Reply-To: <5646D972.4010300@sys-concept.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1838631.nlvEeIXH0y"; protocol="application/pgp-signature"; micalg=pgp-sha256 Content-Transfer-Encoding: 7bit Message-Id: <201511141111.26221.michaelkintzios@gmail.com> X-Archives-Salt: e4066ec8-a390-4cf9-bf10-0fbe33971749 X-Archives-Hash: 7e3efec169a43cdd6b3239dd7beb3aa5 --nextPart1838631.nlvEeIXH0y Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Saturday 14 Nov 2015 06:49:22 thelma@sys-concept.com wrote: > Thelma >=20 > On 11/13/2015 11:08 PM, thelma@sys-concept.com wrote: > > I'm running: nxserver-freenx-0.7.3_p104-r7 > > After recent upgrade, system installed new stable openssh-7.1_p1-r2 > >=20 > > The problem is the new openssh-7.1_p1-r2 will not allow my my "nxserver" > > to connect, I get an error: Permission denied > > (publickey,keyboard-interactive) see below: > >=20 > > nxsetup --test > > ... > > <---- done > >=20 > > ----> Testing your nxserver connection ... > > Permission denied (publickey,keyboard-interactive). > > Fatal error: Could not connect to NX Server. > >=20 > > Please check your ssh setup: > >=20 > > The following are _examples_ of what you might need to check. > >=20 > > - Make sure "nx" is one of the AllowUsers in sshd_config. > > =09 > > (or that the line is outcommented/not there) > > =09 > > - Make sure "nx" is one of the AllowGroups in sshd_config. > > =09 > > (or that the line is outcommented/not there) > > =09 > > - Make sure your sshd allows public key authentication. > > - Make sure your sshd is really running on port 22. > > - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set= =20 to > > authorized_keys2. > > =09 > > (this should be a filename not a pathname+filename) > > =20 > > - Make sure you allow ssh on localhost, this could come from some > > =20 > > restriction of: > > -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost > > =20 > > -the iptables. add to it: > > $ iptables -A INPUT -i lo -j ACCEPT > > $ iptables -A OUTPUT -o lo -j ACCEPT > >=20 > > What I should be getting is this: > > ----> Testing your nxserver connection ... > > HELLO NXSERVER - Version 3.2.0-74-TEAMBZR104 OS (GPL, using backend: > > 3.5.0) NX> 105 quit > > Quit > > NX> 999 Bye > > <--- done > >=20 > > I did not change anything in sshd_config. > > But I downgraded to: openssh-6.9_p1-r2 and nxserver connects OK. > >=20 > > What could be the problem with new: openssh-7.1_p1-r2 >=20 > I think the reason is that OpenSSH 7.0 disables ssh-dss keys by default > https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.ht= ml >=20 > And and nxserver is using ssh-dss keys by default. >=20 > I have to find a way a way to replace the ssh-dss key in: /etc/nxserver/ > with RSA one. >=20 > Do I just run: ssh-keygen -t rsa > and copy the key pair to /etc/nxserver/ directory? >=20 > -- > Thelma Since openssh-7.0 DSS keys are disabled and about time too! =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 elog "Starting with openssh-7.0, support for ssh-dss keys were=20 disabled due to their" elog "weak sizes. If you rely on these key types, you can re-enabl= e=20 the key types by" elog "adding to your sshd_config:" elog " PubkeyAcceptedKeyTypes=3D+ssh-dss" elog "You should however generate new keys using rsa or ed25519." fi =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D Also SHA1 hashes are disabled and you will get errors like these when you t= ry=20 to login to a server which is still using deprecated ciphers: Unable to negotiate with XXX.XX.XXX.X: no matching host key type found. The= ir=20 offer: ssh-dss Unable to negotiate with XXX.XX.XXX.X: no matching key exchange method foun= d.=20 Their offer: diffie-hellman-group1-sha1 If this is within your LAN and therefore relatively protected, you could=20 specify deprecated ciphers and hashes like so: ssh -o KexAlgorithms=3D+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=3D+= ssh-dss=20 my_user@XXX.XX.XXX.X Alternatively, after you create a strong prime: ssh-keygen -t rsa -b 4096 or probably better to use ed25519: ssh-keygen -t ed25519 HTH. =2D-=20 Regards, Mick --nextPart1838631.nlvEeIXH0y Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABCAAGBQJWRxbeAAoJELAdA+zwE4Ye1/wIAL8QFtQvihM1kQY/xHe9Avju bxmrjTS8c+EL52gwH5tLjsHAnDH9O5LFGJY9iT3BrEn+xsH/EoItu9bWyCMeawhn WxulKT2Z6P4QZHCCnxjZ5SEi1IurfiDRL/w3VrXOXqrJ71wjNzSd5YxyHQA17e6n AGQV7KGnqv1XvGAcTitVd/7Vb3KIhVVr/DQCYOJnv35mBtcTP2MC59EDJUfKKZcT aSIT3VVaysYZa+JAAudyoOEgNDcJXGUlpYwiYO/xiPif+nnYjGEVz2RkiVTaMIp/ pgCossigcPdp5jvXtj39nU81vEtXK57ouCtnvrPAJe7jearRay4WKdpMsoVJ3JA= =aH3l -----END PGP SIGNATURE----- --nextPart1838631.nlvEeIXH0y--