[gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

[gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

[thelma]

I'm running: nxserver-freenx-0.7.3_p104-r7
After recent upgrade, system installed new stable openssh-7.1_p1-r2

The problem is the new openssh-7.1_p1-r2 will not allow my my "nxserver" to connect, I get an error:
Permission denied (publickey,keyboard-interactive) see below:
 
nxsetup --test
...
<---- done

----> Testing your nxserver connection ...
Permission denied (publickey,keyboard-interactive).
Fatal error: Could not connect to NX Server.

Please check your ssh setup:

The following are _examples_ of what you might need to check.

	- Make sure "nx" is one of the AllowUsers in sshd_config.
    (or that the line is outcommented/not there)
	- Make sure "nx" is one of the AllowGroups in sshd_config.
    (or that the line is outcommented/not there)
	- Make sure your sshd allows public key authentication.
	- Make sure your sshd is really running on port 22.
	- Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys2.
    (this should be a filename not a pathname+filename)
  - Make sure you allow ssh on localhost, this could come from some
    restriction of:
      -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
      -the iptables. add to it:
         $ iptables -A INPUT  -i lo -j ACCEPT
         $ iptables -A OUTPUT -o lo -j ACCEPT

What I should be getting is this:
----> Testing your nxserver connection ...
HELLO NXSERVER - Version 3.2.0-74-TEAMBZR104 OS (GPL, using backend: 3.5.0)
NX> 105 quit
Quit
NX> 999 Bye
<--- done

I did not change anything in sshd_config.
But I downgraded to: openssh-6.9_p1-r2 and nxserver connects OK.

What could be the problem with new: openssh-7.1_p1-r2

-- 
Thelma

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

[thelma]

Thelma

On 11/13/2015 11:08 PM, thelma@sys-concept.com wrote:
> I'm running: nxserver-freenx-0.7.3_p104-r7
> After recent upgrade, system installed new stable openssh-7.1_p1-r2
> 
> The problem is the new openssh-7.1_p1-r2 will not allow my my "nxserver" to connect, I get an error:
> Permission denied (publickey,keyboard-interactive) see below:
>  
> nxsetup --test
> ...
> <---- done
> 
> ----> Testing your nxserver connection ...
> Permission denied (publickey,keyboard-interactive).
> Fatal error: Could not connect to NX Server.
> 
> Please check your ssh setup:
> 
> The following are _examples_ of what you might need to check.
> 
> 	- Make sure "nx" is one of the AllowUsers in sshd_config.
>     (or that the line is outcommented/not there)
> 	- Make sure "nx" is one of the AllowGroups in sshd_config.
>     (or that the line is outcommented/not there)
> 	- Make sure your sshd allows public key authentication.
> 	- Make sure your sshd is really running on port 22.
> 	- Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys2.
>     (this should be a filename not a pathname+filename)
>   - Make sure you allow ssh on localhost, this could come from some
>     restriction of:
>       -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
>       -the iptables. add to it:
>          $ iptables -A INPUT  -i lo -j ACCEPT
>          $ iptables -A OUTPUT -o lo -j ACCEPT
> 
> What I should be getting is this:
> ----> Testing your nxserver connection ...
> HELLO NXSERVER - Version 3.2.0-74-TEAMBZR104 OS (GPL, using backend: 3.5.0)
> NX> 105 quit
> Quit
> NX> 999 Bye
> <--- done
> 
> I did not change anything in sshd_config.
> But I downgraded to: openssh-6.9_p1-r2 and nxserver connects OK.
> 
> What could be the problem with new: openssh-7.1_p1-r2

I think the reason is that OpenSSH 7.0 disables ssh-dss keys by default
https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html

And and nxserver is using ssh-dss keys by default.

I have to find a way a way to replace the ssh-dss key in: /etc/nxserver/ with RSA one.

Do I just run: ssh-keygen -t rsa
and copy the key pair to /etc/nxserver/ directory? 

--
Thelma
 

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 3902 bytes --]

On Saturday 14 Nov 2015 06:49:22 thelma@sys-concept.com wrote:
> Thelma
> 
> On 11/13/2015 11:08 PM, thelma@sys-concept.com wrote:
> > I'm running: nxserver-freenx-0.7.3_p104-r7
> > After recent upgrade, system installed new stable openssh-7.1_p1-r2
> > 
> > The problem is the new openssh-7.1_p1-r2 will not allow my my "nxserver"
> > to connect, I get an error: Permission denied
> > (publickey,keyboard-interactive) see below:
> > 
> > nxsetup --test
> > ...
> > <---- done
> > 
> > ----> Testing your nxserver connection ...
> > Permission denied (publickey,keyboard-interactive).
> > Fatal error: Could not connect to NX Server.
> > 
> > Please check your ssh setup:
> > 
> > The following are _examples_ of what you might need to check.
> > 
> > 	- Make sure "nx" is one of the AllowUsers in sshd_config.
> > 	
> >     (or that the line is outcommented/not there)
> > 	
> > 	- Make sure "nx" is one of the AllowGroups in sshd_config.
> > 	
> >     (or that the line is outcommented/not there)
> > 	
> > 	- Make sure your sshd allows public key authentication.
> > 	- Make sure your sshd is really running on port 22.
> > 	- Make sure your sshd_config AuthorizedKeysFile in sshd_config is set 
to
> > 	authorized_keys2.
> > 	
> >     (this should be a filename not a pathname+filename)
> >   
> >   - Make sure you allow ssh on localhost, this could come from some
> >   
> >     restriction of:
> >       -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
> >       
> >       -the iptables. add to it:
> >          $ iptables -A INPUT  -i lo -j ACCEPT
> >          $ iptables -A OUTPUT -o lo -j ACCEPT
> > 
> > What I should be getting is this:
> > ----> Testing your nxserver connection ...
> > HELLO NXSERVER - Version 3.2.0-74-TEAMBZR104 OS (GPL, using backend:
> > 3.5.0) NX> 105 quit
> > Quit
> > NX> 999 Bye
> > <--- done
> > 
> > I did not change anything in sshd_config.
> > But I downgraded to: openssh-6.9_p1-r2 and nxserver connects OK.
> > 
> > What could be the problem with new: openssh-7.1_p1-r2
> 
> I think the reason is that OpenSSH 7.0 disables ssh-dss keys by default
> https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
> 
> And and nxserver is using ssh-dss keys by default.
> 
> I have to find a way a way to replace the ssh-dss key in: /etc/nxserver/
> with RSA one.
> 
> Do I just run: ssh-keygen -t rsa
> and copy the key pair to /etc/nxserver/ directory?
> 
> --
> Thelma

Since openssh-7.0 DSS keys are disabled and about time too!

==========================================================
if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388
        elog "Starting with openssh-7.0, support for ssh-dss keys were 
disabled due to their"
        elog "weak sizes.  If you rely on these key types, you can re-enable 
the key types by"
        elog "adding to your sshd_config:"
        elog "  PubkeyAcceptedKeyTypes=+ssh-dss"
        elog "You should however generate new keys using rsa or ed25519."
fi
==========================================================


Also SHA1 hashes are disabled and you will get errors like these when you try 
to login to a server which is still using deprecated ciphers:

Unable to negotiate with XXX.XX.XXX.X: no matching host key type found. Their 
offer: ssh-dss

Unable to negotiate with XXX.XX.XXX.X: no matching key exchange method found. 
Their offer: diffie-hellman-group1-sha1

If this is within your LAN and therefore relatively protected, you could 
specify deprecated ciphers and hashes like so:

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss 
my_user@XXX.XX.XXX.X


Alternatively, after you create a strong prime:

ssh-keygen -t rsa -b 4096


or probably better to use ed25519:

ssh-keygen -t ed25519

HTH.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

[thelma]

On 11/14/2015 04:11 AM, Mick wrote:
[snip]
> 
> Since openssh-7.0 DSS keys are disabled and about time too!
> 
> ==========================================================
> if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388
>         elog "Starting with openssh-7.0, support for ssh-dss keys were 
> disabled due to their"
>         elog "weak sizes.  If you rely on these key types, you can re-enable 
> the key types by"
>         elog "adding to your sshd_config:"
>         elog "  PubkeyAcceptedKeyTypes=+ssh-dss"
>         elog "You should however generate new keys using rsa or ed25519."
> fi
> ==========================================================
> 
> 
> Also SHA1 hashes are disabled and you will get errors like these when you try 
> to login to a server which is still using deprecated ciphers:
> 
> Unable to negotiate with XXX.XX.XXX.X: no matching host key type found. Their 
> offer: ssh-dss
> 
> Unable to negotiate with XXX.XX.XXX.X: no matching key exchange method found. 
> Their offer: diffie-hellman-group1-sha1
> 
> If this is within your LAN and therefore relatively protected, you could 
> specify deprecated ciphers and hashes like so:
> 
> ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss 
> my_user@XXX.XX.XXX.X
> 
> 
> Alternatively, after you create a strong prime:
> 
> ssh-keygen -t rsa -b 4096
> 
> 
> or probably better to use ed25519:
> 
> ssh-keygen -t ed25519
> 
> HTH.

The only software that uses ssh-dss key and I need is nxserver.

I just added a line to my: sshd_config
PubkeyAcceptedKeyTypes=+ssh-dss

restarted "sshd and nxserver" but I nxserver still doesn't work,
running:  nxsetup --test (I get):

----> Testing your nxserver connection ...
Permission denied (publickey,password,keyboard-interactive).
Fatal error: Could not connect to NX Server.

--
Thelma

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1049 bytes --]

On Sat, 14 Nov 2015 08:54:38 -0700, thelma@sys-concept.com wrote:

> The only software that uses ssh-dss key and I need is nxserver.
> 
> I just added a line to my: sshd_config
> PubkeyAcceptedKeyTypes=+ssh-dss

You should add this to a Host section, so it only enables the wek
encryption for that host.

> restarted "sshd and nxserver" but I nxserver still doesn't work,
> running:  nxsetup --test (I get):
> 
> ----> Testing your nxserver connection ...  
> Permission denied (publickey,password,keyboard-interactive).
> Fatal error: Could not connect to NX Server.

That doesn't look like the error you get from an unsupported key, which
is something like

Unable to negotiate with x.x.x.x: no matching host key type found. Their offer: ssh-dss

Is nxserver trying to connect as root? It looks more like the disabling
of passworded root logins in OpenSSH.


-- 
Neil Bothwick

What do you get if you cross an agnostic, an insomniac and adyslexic?
Someone who lies awake at night wondering if there really is a dog.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

[thelma]

On 11/14/2015 02:22 PM, Neil Bothwick wrote:
> On Sat, 14 Nov 2015 08:54:38 -0700, thelma@sys-concept.com wrote:
> 
>> The only software that uses ssh-dss key and I need is nxserver.
>>
>> I just added a line to my: sshd_config
>> PubkeyAcceptedKeyTypes=+ssh-dss
> 
> You should add this to a Host section, so it only enables the wek
> encryption for that host.
> 
>> restarted "sshd and nxserver" but I nxserver still doesn't work,
>> running:  nxsetup --test (I get):
>>
>> ----> Testing your nxserver connection ...  
>> Permission denied (publickey,password,keyboard-interactive).
>> Fatal error: Could not connect to NX Server.
> 
> That doesn't look like the error you get from an unsupported key, which
> is something like
> 
> Unable to negotiate with x.x.x.x: no matching host key type found. Their offer: ssh-dss
> 
> Is nxserver trying to connect as root? It looks more like the disabling
> of passworded root logins in OpenSSH.



Here is my sshd_config: (nxserver works with openssh-6.9_p1-r2)
As soon as I upgrade to openssh-7, enable:
PubkeyAcceptedKeyTypes=+ssh-dss

restart: sshd
and nxserver gives me an error message (like above).

Yes, I'm running "nxsetup --test" as root.

#	$OpenBSD: sshd_config,v 1.95 2015/04/27 21:42:48 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and
.ssh/authorized_keys2
# but this is overridden so installations will only check
.ssh/authorized_keys
#AuthorizedKeysFile	.ssh/authorized_keys

# Added Nov 14/15, needed for nxserver to work
# PubkeyAcceptedKeyTypes=+ssh-dss

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog no
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox		# Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# here are the new patched ldap related tokens
# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
#UseLPK yes
#LpkLdapConf /etc/ldap.conf
#LpkServers  ldap://10.1.7.1/ ldap://10.1.7.2/
#LpkUserDN   ou=users,dc=phear,dc=org
#LpkGroupDN  ou=groups,dc=phear,dc=org
#LpkBindDN cn=Manager,dc=phear,dc=org
#LpkBindPw secret
#LpkServerGroup mail
#LpkFilter (hostAccess=master.phear.org)
#LpkForceTLS no
#LpkSearchTimelimit 3
#LpkBindTimelimit 3
#LpkPubKeyAttr sshPublicKey

# override default of no subsystems
Subsystem	sftp	/usr/lib64/misc/sftp-server

# the following are HPN related configuration options
# tcp receive buffer polling. disable in non autotuning kernels
#TcpRcvBufPoll yes

# disable hpn performance boosts
#HPNDisabled no

# buffer size for hpn to non-hpn connections
#HPNBufferSize 2048


# allow the use of the none cipher
#NoneEnabled no

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

# Allow client to pass locale environment variables #367017
AcceptEnv LANG LC_*

--
Thelma

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1200 bytes --]

On Sat, 14 Nov 2015 16:27:27 -0700, thelma@sys-concept.com wrote:

> >> ----> Testing your nxserver connection ...    
> >> Permission denied (publickey,password,keyboard-interactive).
> >> Fatal error: Could not connect to NX Server.  
> > 
> > That doesn't look like the error you get from an unsupported key,
> > which is something like
> > 
> > Unable to negotiate with x.x.x.x: no matching host key type found.
> > Their offer: ssh-dss
> > 
> > Is nxserver trying to connect as root? It looks more like the
> > disabling of passworded root logins in OpenSSH.  
> 
> Here is my sshd_config: (nxserver works with openssh-6.9_p1-r2)
> As soon as I upgrade to openssh-7, enable:
> PubkeyAcceptedKeyTypes=+ssh-dss
> 
> restart: sshd
> and nxserver gives me an error message (like above).

Which has nothing to do with keys
 
> Yes, I'm running "nxsetup --test" as root.

and everything to do with this. While the use of DSS keys may cause a
problem, you haven't reached that point yet because the default config
not blocks root logins. Add "PermitRootLogin without-password" to your
config.


-- 
Neil Bothwick

The computer revolution is over. The computers won.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]