* [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect
@ 2015-11-14 6:08 thelma
2015-11-14 6:49 ` thelma
0 siblings, 1 reply; 7+ messages in thread
From: thelma @ 2015-11-14 6:08 UTC (permalink / raw
To: Gentoo mailing list
I'm running: nxserver-freenx-0.7.3_p104-r7
After recent upgrade, system installed new stable openssh-7.1_p1-r2
The problem is the new openssh-7.1_p1-r2 will not allow my my "nxserver" to connect, I get an error:
Permission denied (publickey,keyboard-interactive) see below:
nxsetup --test
...
<---- done
----> Testing your nxserver connection ...
Permission denied (publickey,keyboard-interactive).
Fatal error: Could not connect to NX Server.
Please check your ssh setup:
The following are _examples_ of what you might need to check.
- Make sure "nx" is one of the AllowUsers in sshd_config.
(or that the line is outcommented/not there)
- Make sure "nx" is one of the AllowGroups in sshd_config.
(or that the line is outcommented/not there)
- Make sure your sshd allows public key authentication.
- Make sure your sshd is really running on port 22.
- Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys2.
(this should be a filename not a pathname+filename)
- Make sure you allow ssh on localhost, this could come from some
restriction of:
-the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
-the iptables. add to it:
$ iptables -A INPUT -i lo -j ACCEPT
$ iptables -A OUTPUT -o lo -j ACCEPT
What I should be getting is this:
----> Testing your nxserver connection ...
HELLO NXSERVER - Version 3.2.0-74-TEAMBZR104 OS (GPL, using backend: 3.5.0)
NX> 105 quit
Quit
NX> 999 Bye
<--- done
I did not change anything in sshd_config.
But I downgraded to: openssh-6.9_p1-r2 and nxserver connects OK.
What could be the problem with new: openssh-7.1_p1-r2
--
Thelma
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect 2015-11-14 6:08 [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect thelma @ 2015-11-14 6:49 ` thelma 2015-11-14 11:11 ` Mick 0 siblings, 1 reply; 7+ messages in thread From: thelma @ 2015-11-14 6:49 UTC (permalink / raw To: Gentoo mailing list Thelma On 11/13/2015 11:08 PM, thelma@sys-concept.com wrote: > I'm running: nxserver-freenx-0.7.3_p104-r7 > After recent upgrade, system installed new stable openssh-7.1_p1-r2 > > The problem is the new openssh-7.1_p1-r2 will not allow my my "nxserver" to connect, I get an error: > Permission denied (publickey,keyboard-interactive) see below: > > nxsetup --test > ... > <---- done > > ----> Testing your nxserver connection ... > Permission denied (publickey,keyboard-interactive). > Fatal error: Could not connect to NX Server. > > Please check your ssh setup: > > The following are _examples_ of what you might need to check. > > - Make sure "nx" is one of the AllowUsers in sshd_config. > (or that the line is outcommented/not there) > - Make sure "nx" is one of the AllowGroups in sshd_config. > (or that the line is outcommented/not there) > - Make sure your sshd allows public key authentication. > - Make sure your sshd is really running on port 22. > - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys2. > (this should be a filename not a pathname+filename) > - Make sure you allow ssh on localhost, this could come from some > restriction of: > -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost > -the iptables. add to it: > $ iptables -A INPUT -i lo -j ACCEPT > $ iptables -A OUTPUT -o lo -j ACCEPT > > What I should be getting is this: > ----> Testing your nxserver connection ... > HELLO NXSERVER - Version 3.2.0-74-TEAMBZR104 OS (GPL, using backend: 3.5.0) > NX> 105 quit > Quit > NX> 999 Bye > <--- done > > I did not change anything in sshd_config. > But I downgraded to: openssh-6.9_p1-r2 and nxserver connects OK. > > What could be the problem with new: openssh-7.1_p1-r2 I think the reason is that OpenSSH 7.0 disables ssh-dss keys by default https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html And and nxserver is using ssh-dss keys by default. I have to find a way a way to replace the ssh-dss key in: /etc/nxserver/ with RSA one. Do I just run: ssh-keygen -t rsa and copy the key pair to /etc/nxserver/ directory? -- Thelma ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect 2015-11-14 6:49 ` thelma @ 2015-11-14 11:11 ` Mick 2015-11-14 15:54 ` thelma 0 siblings, 1 reply; 7+ messages in thread From: Mick @ 2015-11-14 11:11 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: Text/Plain, Size: 3902 bytes --] On Saturday 14 Nov 2015 06:49:22 thelma@sys-concept.com wrote: > Thelma > > On 11/13/2015 11:08 PM, thelma@sys-concept.com wrote: > > I'm running: nxserver-freenx-0.7.3_p104-r7 > > After recent upgrade, system installed new stable openssh-7.1_p1-r2 > > > > The problem is the new openssh-7.1_p1-r2 will not allow my my "nxserver" > > to connect, I get an error: Permission denied > > (publickey,keyboard-interactive) see below: > > > > nxsetup --test > > ... > > <---- done > > > > ----> Testing your nxserver connection ... > > Permission denied (publickey,keyboard-interactive). > > Fatal error: Could not connect to NX Server. > > > > Please check your ssh setup: > > > > The following are _examples_ of what you might need to check. > > > > - Make sure "nx" is one of the AllowUsers in sshd_config. > > > > (or that the line is outcommented/not there) > > > > - Make sure "nx" is one of the AllowGroups in sshd_config. > > > > (or that the line is outcommented/not there) > > > > - Make sure your sshd allows public key authentication. > > - Make sure your sshd is really running on port 22. > > - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to > > authorized_keys2. > > > > (this should be a filename not a pathname+filename) > > > > - Make sure you allow ssh on localhost, this could come from some > > > > restriction of: > > -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost > > > > -the iptables. add to it: > > $ iptables -A INPUT -i lo -j ACCEPT > > $ iptables -A OUTPUT -o lo -j ACCEPT > > > > What I should be getting is this: > > ----> Testing your nxserver connection ... > > HELLO NXSERVER - Version 3.2.0-74-TEAMBZR104 OS (GPL, using backend: > > 3.5.0) NX> 105 quit > > Quit > > NX> 999 Bye > > <--- done > > > > I did not change anything in sshd_config. > > But I downgraded to: openssh-6.9_p1-r2 and nxserver connects OK. > > > > What could be the problem with new: openssh-7.1_p1-r2 > > I think the reason is that OpenSSH 7.0 disables ssh-dss keys by default > https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html > > And and nxserver is using ssh-dss keys by default. > > I have to find a way a way to replace the ssh-dss key in: /etc/nxserver/ > with RSA one. > > Do I just run: ssh-keygen -t rsa > and copy the key pair to /etc/nxserver/ directory? > > -- > Thelma Since openssh-7.0 DSS keys are disabled and about time too! ========================================================== if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" elog "weak sizes. If you rely on these key types, you can re-enable the key types by" elog "adding to your sshd_config:" elog " PubkeyAcceptedKeyTypes=+ssh-dss" elog "You should however generate new keys using rsa or ed25519." fi ========================================================== Also SHA1 hashes are disabled and you will get errors like these when you try to login to a server which is still using deprecated ciphers: Unable to negotiate with XXX.XX.XXX.X: no matching host key type found. Their offer: ssh-dss Unable to negotiate with XXX.XX.XXX.X: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 If this is within your LAN and therefore relatively protected, you could specify deprecated ciphers and hashes like so: ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss my_user@XXX.XX.XXX.X Alternatively, after you create a strong prime: ssh-keygen -t rsa -b 4096 or probably better to use ed25519: ssh-keygen -t ed25519 HTH. -- Regards, Mick [-- Attachment #2: This is a digitally signed message part. --] [-- Type: application/pgp-signature, Size: 473 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect 2015-11-14 11:11 ` Mick @ 2015-11-14 15:54 ` thelma 2015-11-14 21:22 ` Neil Bothwick 0 siblings, 1 reply; 7+ messages in thread From: thelma @ 2015-11-14 15:54 UTC (permalink / raw To: gentoo-user On 11/14/2015 04:11 AM, Mick wrote: [snip] > > Since openssh-7.0 DSS keys are disabled and about time too! > > ========================================================== > if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 > elog "Starting with openssh-7.0, support for ssh-dss keys were > disabled due to their" > elog "weak sizes. If you rely on these key types, you can re-enable > the key types by" > elog "adding to your sshd_config:" > elog " PubkeyAcceptedKeyTypes=+ssh-dss" > elog "You should however generate new keys using rsa or ed25519." > fi > ========================================================== > > > Also SHA1 hashes are disabled and you will get errors like these when you try > to login to a server which is still using deprecated ciphers: > > Unable to negotiate with XXX.XX.XXX.X: no matching host key type found. Their > offer: ssh-dss > > Unable to negotiate with XXX.XX.XXX.X: no matching key exchange method found. > Their offer: diffie-hellman-group1-sha1 > > If this is within your LAN and therefore relatively protected, you could > specify deprecated ciphers and hashes like so: > > ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss > my_user@XXX.XX.XXX.X > > > Alternatively, after you create a strong prime: > > ssh-keygen -t rsa -b 4096 > > > or probably better to use ed25519: > > ssh-keygen -t ed25519 > > HTH. The only software that uses ssh-dss key and I need is nxserver. I just added a line to my: sshd_config PubkeyAcceptedKeyTypes=+ssh-dss restarted "sshd and nxserver" but I nxserver still doesn't work, running: nxsetup --test (I get): ----> Testing your nxserver connection ... Permission denied (publickey,password,keyboard-interactive). Fatal error: Could not connect to NX Server. -- Thelma ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect 2015-11-14 15:54 ` thelma @ 2015-11-14 21:22 ` Neil Bothwick 2015-11-14 23:27 ` thelma 0 siblings, 1 reply; 7+ messages in thread From: Neil Bothwick @ 2015-11-14 21:22 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 1049 bytes --] On Sat, 14 Nov 2015 08:54:38 -0700, thelma@sys-concept.com wrote: > The only software that uses ssh-dss key and I need is nxserver. > > I just added a line to my: sshd_config > PubkeyAcceptedKeyTypes=+ssh-dss You should add this to a Host section, so it only enables the wek encryption for that host. > restarted "sshd and nxserver" but I nxserver still doesn't work, > running: nxsetup --test (I get): > > ----> Testing your nxserver connection ... > Permission denied (publickey,password,keyboard-interactive). > Fatal error: Could not connect to NX Server. That doesn't look like the error you get from an unsupported key, which is something like Unable to negotiate with x.x.x.x: no matching host key type found. Their offer: ssh-dss Is nxserver trying to connect as root? It looks more like the disabling of passworded root logins in OpenSSH. -- Neil Bothwick What do you get if you cross an agnostic, an insomniac and adyslexic? Someone who lies awake at night wondering if there really is a dog. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 181 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect 2015-11-14 21:22 ` Neil Bothwick @ 2015-11-14 23:27 ` thelma 2015-11-15 9:21 ` Neil Bothwick 0 siblings, 1 reply; 7+ messages in thread From: thelma @ 2015-11-14 23:27 UTC (permalink / raw To: gentoo-user On 11/14/2015 02:22 PM, Neil Bothwick wrote: > On Sat, 14 Nov 2015 08:54:38 -0700, thelma@sys-concept.com wrote: > >> The only software that uses ssh-dss key and I need is nxserver. >> >> I just added a line to my: sshd_config >> PubkeyAcceptedKeyTypes=+ssh-dss > > You should add this to a Host section, so it only enables the wek > encryption for that host. > >> restarted "sshd and nxserver" but I nxserver still doesn't work, >> running: nxsetup --test (I get): >> >> ----> Testing your nxserver connection ... >> Permission denied (publickey,password,keyboard-interactive). >> Fatal error: Could not connect to NX Server. > > That doesn't look like the error you get from an unsupported key, which > is something like > > Unable to negotiate with x.x.x.x: no matching host key type found. Their offer: ssh-dss > > Is nxserver trying to connect as root? It looks more like the disabling > of passworded root logins in OpenSSH. Here is my sshd_config: (nxserver works with openssh-6.9_p1-r2) As soon as I upgrade to openssh-7, enable: PubkeyAcceptedKeyTypes=+ssh-dss restart: sshd and nxserver gives me an error message (like above). Yes, I'm running "nxsetup --test" as root. # $OpenBSD: sshd_config,v 1.95 2015/04/27 21:42:48 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Ciphers and keying #RekeyLimit default none # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys # Added Nov 14/15, needed for nxserver to work # PubkeyAcceptedKeyTypes=+ssh-dss #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no PrintLastLog no #TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # here are the new patched ldap related tokens # entries in your LDAP must have posixAccount & ldapPublicKey objectclass #UseLPK yes #LpkLdapConf /etc/ldap.conf #LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ #LpkUserDN ou=users,dc=phear,dc=org #LpkGroupDN ou=groups,dc=phear,dc=org #LpkBindDN cn=Manager,dc=phear,dc=org #LpkBindPw secret #LpkServerGroup mail #LpkFilter (hostAccess=master.phear.org) #LpkForceTLS no #LpkSearchTimelimit 3 #LpkBindTimelimit 3 #LpkPubKeyAttr sshPublicKey # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server # the following are HPN related configuration options # tcp receive buffer polling. disable in non autotuning kernels #TcpRcvBufPoll yes # disable hpn performance boosts #HPNDisabled no # buffer size for hpn to non-hpn connections #HPNBufferSize 2048 # allow the use of the none cipher #NoneEnabled no # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server # Allow client to pass locale environment variables #367017 AcceptEnv LANG LC_* -- Thelma ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect 2015-11-14 23:27 ` thelma @ 2015-11-15 9:21 ` Neil Bothwick 0 siblings, 0 replies; 7+ messages in thread From: Neil Bothwick @ 2015-11-15 9:21 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 1200 bytes --] On Sat, 14 Nov 2015 16:27:27 -0700, thelma@sys-concept.com wrote: > >> ----> Testing your nxserver connection ... > >> Permission denied (publickey,password,keyboard-interactive). > >> Fatal error: Could not connect to NX Server. > > > > That doesn't look like the error you get from an unsupported key, > > which is something like > > > > Unable to negotiate with x.x.x.x: no matching host key type found. > > Their offer: ssh-dss > > > > Is nxserver trying to connect as root? It looks more like the > > disabling of passworded root logins in OpenSSH. > > Here is my sshd_config: (nxserver works with openssh-6.9_p1-r2) > As soon as I upgrade to openssh-7, enable: > PubkeyAcceptedKeyTypes=+ssh-dss > > restart: sshd > and nxserver gives me an error message (like above). Which has nothing to do with keys > Yes, I'm running "nxsetup --test" as root. and everything to do with this. While the use of DSS keys may cause a problem, you haven't reached that point yet because the default config not blocks root logins. Add "PermitRootLogin without-password" to your config. -- Neil Bothwick The computer revolution is over. The computers won. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 181 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-11-15 11:15 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-11-14 6:08 [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect thelma 2015-11-14 6:49 ` thelma 2015-11-14 11:11 ` Mick 2015-11-14 15:54 ` thelma 2015-11-14 21:22 ` Neil Bothwick 2015-11-14 23:27 ` thelma 2015-11-15 9:21 ` Neil Bothwick
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox