From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id AEEE11384B4 for ; Sat, 14 Nov 2015 15:53:48 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 116B921C108; Sat, 14 Nov 2015 15:53:37 +0000 (UTC) Received: from mail143c7.megamailservers.com (mail143c7.megamailservers.com [69.49.98.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 28AAB21C00B for ; Sat, 14 Nov 2015 15:53:35 +0000 (UTC) X-Authenticated-User: info.sys-concept.com Received: from [10.0.0.100] (S01060050da7ae68c.ed.shawcable.net [68.149.90.13]) (authenticated bits=0) by mail143c7.megamailservers.com (8.14.9/8.13.1) with ESMTP id tAEFrUVi026285 for ; Sat, 14 Nov 2015 10:53:33 -0500 Subject: Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect To: gentoo-user@lists.gentoo.org References: <5646CFD7.9030708@sys-concept.com> <5646D972.4010300@sys-concept.com> <201511141111.26221.michaelkintzios@gmail.com> From: thelma@sys-concept.com X-Enigmail-Draft-Status: N1110 Message-ID: <5647593E.9050404@sys-concept.com> Date: Sat, 14 Nov 2015 08:54:38 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <201511141111.26221.michaelkintzios@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-CTCH-RefID: str=0001.0A020202.564758FD.012D,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-CSC: 0 X-CHA: v=2.1 cv=RYSpVTdv c=1 sm=1 tr=0 a=C3ZDv51cNVt4vJz/79I2xQ==:117 a=C3ZDv51cNVt4vJz/79I2xQ==:17 a=SDcUNfBxAAAA:8 a=BDKbP5mgAAAA:8 a=046jbqsEAAAA:8 a=IkcTkHD0fZMA:10 a=P-n-INIGBd8a8dWO24EA:9 a=QEXdDO2ut3YA:10 X-Archives-Salt: 02407fd3-198e-4b1f-a758-05b140dd49ed X-Archives-Hash: ae5d165c30e0c8d7277643a8ca54d870 On 11/14/2015 04:11 AM, Mick wrote: [snip] > > Since openssh-7.0 DSS keys are disabled and about time too! > > ========================================================== > if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 > elog "Starting with openssh-7.0, support for ssh-dss keys were > disabled due to their" > elog "weak sizes. If you rely on these key types, you can re-enable > the key types by" > elog "adding to your sshd_config:" > elog " PubkeyAcceptedKeyTypes=+ssh-dss" > elog "You should however generate new keys using rsa or ed25519." > fi > ========================================================== > > > Also SHA1 hashes are disabled and you will get errors like these when you try > to login to a server which is still using deprecated ciphers: > > Unable to negotiate with XXX.XX.XXX.X: no matching host key type found. Their > offer: ssh-dss > > Unable to negotiate with XXX.XX.XXX.X: no matching key exchange method found. > Their offer: diffie-hellman-group1-sha1 > > If this is within your LAN and therefore relatively protected, you could > specify deprecated ciphers and hashes like so: > > ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss > my_user@XXX.XX.XXX.X > > > Alternatively, after you create a strong prime: > > ssh-keygen -t rsa -b 4096 > > > or probably better to use ed25519: > > ssh-keygen -t ed25519 > > HTH. The only software that uses ssh-dss key and I need is nxserver. I just added a line to my: sshd_config PubkeyAcceptedKeyTypes=+ssh-dss restarted "sshd and nxserver" but I nxserver still doesn't work, running: nxsetup --test (I get): ----> Testing your nxserver connection ... Permission denied (publickey,password,keyboard-interactive). Fatal error: Could not connect to NX Server. -- Thelma