- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Password-less ssh no longer works after upgrade
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2018 01:29 PM
10-17-2018 01:29 PM
We were running this ssh (found in /opt/ssh/hpux64/bin/)
-rwxr-xr-x 1 bin bin 1330600 Jan 7 2015 ssh*
And it was just upgraded to (found in same location)
-rwxr-xr-x 1 bin bin 1942744 Mar 19 2018 ssh*
And now ssh does not seem to recognize the id_dsa, even with the -i option. It keeps asking for a password.
Does this new version require new private keys?
Solved! Go to Solution.
- Tags:
- ssh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2018 08:01 PM
10-17-2018 08:01 PM
Re: Password-less ssh no longer works after upgrade
> And now ssh does not seem to recognize the id_dsa, even with the -i
> option. It keeps asking for a password.
uname -a
Is this system the ssh client, server, or both?
> Does this new version require new private keys?
I haven't upgraded anything lately, so I know nothing, but...
Which "this new version"?
ssh -V
Recent ssh versions might have deprecated/desupported particular
encryption or hash algorithms.
Generally, the debug procedure for the ssh client side involves
adding a "-v" option ("-vvv" seems to be popular) to the "ssh" command,
and seeking clues in the diagnostic output. On the server side, the
system log files typically show reasons for a failure.
> And it was just upgraded to [...]
What, exactly, did you install? Did whatever you installed come with
any documentation? Release notes, for example?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2018 06:29 AM
10-18-2018 06:29 AM
Re: Password-less ssh no longer works after upgrade
Thanks for the reply, Steven!
It is the client that cannot connect to the server.
uname -a
HP-UX <server> B.11.31 U ia64 0545442868 unlimited-user license
The old version was:
OpenSSH_6.2p2+sftpfilecontrol-v1.3-hpn13v12, OpenSSL 1.0.2k 26 Jan 2017
HP-UX Secure Shell-A.06.20.030, HP-UX Secure Shell version
The new version is:
OpenSSH_7.4p1+sftpfilecontrol-v1.3-hpn14v12, OpenSSL 1.0.2k 26 Jan 2017
HP-UX Secure Shell-A.07.40.003, HP-UX Secure Shell version
The install was done by our central operations team.
Here's the ssh -v output:
OpenSSH_7.4p1+sftpfilecontrol-v1.3-hpn14v12, OpenSSL 1.0.2k 26 Jan 2017
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to genawa-itg.austin.hpecorp.net [16.195.80.156] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/bb/.ssh/identity type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bb/.ssh/identity-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bb/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bb/.ssh/id_rsa-cert type -1
debug1: identity file /home/bb/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /home/bb/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bb/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bb/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bb/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/bb/.ssh/id_ed25519-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1+sftpfilecontrol-v1.3-hpn14v12
debug1: match: OpenSSH_7.4p1+sftpfilecontrol-v1.3-hpn14v12 pat OpenSSH* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1+sftpfilecontrol-v1.3-hpn14v12
debug1: Authenticating to genawa-itg.austin.hpecorp.net:22 as 'tuxadmin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:EE87R0FOpAeS6e76QbXqn77ti2qKO3bmFEyzZ3ybWjk
debug1: Host 'genawa-itg.austin.hpecorp.net' is known and matches the ECDSA host key.
debug1: Found key in /home/bb/.ssh/known_hosts:5
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Skipping ssh-dss key /home/bb/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
*******************************************************************
* *
* This is a private system; explicit authorization from the *
* system owner is required for access or use. Unauthorized *
* access or use may result in severe civil and/or criminal *
* liability, including without limitation under 18 USC *
* Sections 1030 et seq. All rights whatsoever are reserved. *
* *
*******************************************************************
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Miscellaneous failure
No credentials cache found
debug1: Miscellaneous failure
No credentials cache found
debug1:
debug1: Next authentication method: publickey
debug1: Trying private key: /home/bb/.ssh/identity
debug1: Trying private key: /home/bb/.ssh/id_rsa
debug1: Trying private key: /home/bb/.ssh/id_ecdsa
debug1: Trying private key: /home/bb/.ssh/id_ed25519
debug1: Next authentication method: password
<account>@<fqdn>s password:
If I use the -i option to call out the public key location:
OpenSSH_7.4p1+sftpfilecontrol-v1.3-hpn14v12, OpenSSL 1.0.2k 26 Jan 2017
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to genawa-itg.austin.hpecorp.net [16.195.80.156] port 22.
debug1: Connection established.
debug1: identity file /home/bb/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /home/bb/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1+sftpfilecontrol-v1.3-hpn14v12
debug1: match: OpenSSH_7.4p1+sftpfilecontrol-v1.3-hpn14v12 pat OpenSSH* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1+sftpfilecontrol-v1.3-hpn14v12
debug1: Authenticating to genawa-itg.austin.hpecorp.net:22 as 'tuxadmin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:EE87R0FOpAeS6e76QbXqn77ti2qKO3bmFEyzZ3ybWjk
debug1: Host 'genawa-itg.austin.hpecorp.net' is known and matches the ECDSA host key.
debug1: Found key in /home/bb/.ssh/known_hosts:5
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Skipping ssh-dss key /home/bb/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
*******************************************************************
* *
* This is a private system; explicit authorization from the *
* system owner is required for access or use. Unauthorized *
* access or use may result in severe civil and/or criminal *
* liability, including without limitation under 18 USC *
* Sections 1030 et seq. All rights whatsoever are reserved. *
* *
*******************************************************************
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Miscellaneous failure
No credentials cache found
debug1: Miscellaneous failure
No credentials cache found
debug1:
debug1: Next authentication method: publickey
debug1: Next authentication method: password
<account>@<fqdn>'s password:
I have checked that the authorized_key file on the receiving end still contains the content of the id_dsa.pub.
The .ssh directory is secured as follows:
drwx------ 2 bb bbgrp 96 Jun 10 2017 .ssh/
the id_dsa file is secured as follows:
-rw------- 1 bb bbgrp 668 Sep 16 2016 id_dsa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2018 09:35 AM
10-18-2018 09:35 AM
Re: Password-less ssh no longer works after upgrade
> It is the client that cannot connect to the server.
Yes, by definition, but who got the SSH upgrade?
> The install was done by our central operations team.
Ok, but you may still need to know more than that.
I still know nothing, but:
debug1: Skipping ssh-dss key /home/bb/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
Apparently, the server is now more restrctive about its
PubkeyAcceptedKeyTypes. I'd guess that the server configuration could
be degraded to accept your old keys, but I'd also guess that such old
keys are now considered too weak.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2018 10:06 AM
10-18-2018 10:06 AM
Re: Password-less ssh no longer works after upgrade
Hi Steven,
The upgrade was the client only. I'll try re-creating the public key. Thanks for your help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2018 10:24 AM
10-18-2018 10:24 AM
Re: Password-less ssh no longer works after upgrade
> The upgrade was the client only. [...]
Hmmm. I'd've blamed the server, but what do I know?
> I still know nothing, but:
I may be learning:
https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA
* Going forward DSA host keys will be disabled and it is
recommended not to use. To support DSA host keys in v.07.30 and
above, an extra parameter (HostKeyAlgorithms) in sshd_config file.
For more information, see https://www.openssh.com/legacy.html.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2018 03:14 PM
10-18-2018 03:14 PM
Re: Password-less ssh no longer works after upgrade
Thanks, Steven! I'll give that a try...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2018 06:03 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2018 12:32 PM
10-23-2018 12:32 PM
Re: Password-less ssh no longer works after upgrade
> What worked was adding -oPubkeyAcceptedKeyTypes=+ssh-dss to the ssh
> command.
You might be able to save some typing by adding that option to the
user's "~/.ssh/config" file (or system-wide in
"/opt/ssh/etc/ssh_config").
man ssh_config