Re: bin/50148: new ssh does not work at all

[John Nemeth <jnemeth%cue.bc.ca@localhost>]

The following reply was made to PR bin/50148; it has been noted by GNATS.

From: John Nemeth <jnemeth%cue.bc.ca@localhost>
To: gnats-bugs%NetBSD.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 00:55:19 -0700

 On Aug 14,  6:55am, martin%NetBSD.org@localhost wrote:
 }
 } >Number:         50148
 } >Synopsis:       new ssh does not work at all
 } >Severity:       critical
 } >Priority:       high
 } >Responsible:    bin-bug-people
 } >State:          open
 } >Class:          sw-bug
 } >Arrival-Date:   Fri Aug 14 06:55:00 +0000 2015
 } >Originator:     Martin Husemann
 } >Release:        NetBSD 7.99.20
 } >Description:
 } 
 } Since updating to the new ssh yesterday, I can't connect anywhere:
 } 
 } [snip]
 } 
 } debug1: Authentications that can continue: publickey
 } debug3: start over, passed a different list publickey
 } debug3: preferred kerberos-2%ssh.com@localhost,publickey,keyboard-interactive,password
 } debug3: authmethod_lookup publickey
 } debug3: remaining preferred: keyboard-interactive,password
 } debug3: authmethod_is_enabled publickey
 } debug1: Next authentication method: publickey
 } debug1: Skipping ssh-dss key /home/martin/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes
 
      I think the issue is here.  Reading the release announcement,
 I see that they have been disabling/deprecating all sorts of things,
 in the name of improving security (and intend to do more of this
 in the next release).  Apparently, they don't think backwards
 compatibility is important.
 
 >From the announcment:
 
 -----
 
 [...]
 Changes since OpenSSH 6.9
 =========================
 
 This focus of this release is primarily to deprecate weak, legacy
 and/or unsafe cryptography.
 [...]
 Potentially-incompatible Changes
 --------------------------------
 
  * Support for the legacy SSH version 1 protocol is disabled by
    default at compile time.
 
  * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
    is disabled by default at run-time. It may be re-enabled using
    the instructions at http://www.openssh.com/legacy.html
 
  * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
    by default at run-time. These may be re-enabled using the
    instructions at http://www.openssh.com/legacy.html
 
  * Support for the legacy v00 cert format has been removed.
 
  * The default for the sshd_config(5) PermitRootLogin option has
    changed from "yes" to "prohibit-password".
 
  * PermitRootLogin=without-password/prohibit-password now bans all
    interactive authentication methods, allowing only public-key,
    hostbased and GSSAPI authentication (previously it permitted
    keyboard-interactive and password-less authentication if those
    were enabled).
 
 -----
 
 martin's issue is the third point.
 
      On a slightly different, but similar issue, I sure hope we
 have reversed the first point (SSHv1 being disabled at compile
 time).  I still use SSHv1 for connecting to older, but perfectly
 functional routers.  What do they expect me to do, switch to using
 telnet, which would be the only alternative.  "Replace the routers"
 is not a good answer.
 
 } debug1: Trying private key: /home/martin/.ssh/id_rsa
 } debug3: no such identity: /home/martin/.ssh/id_rsa: No such file or directory
 } debug1: Trying private key: /home/martin/.ssh/id_ecdsa
 } debug3: no such identity: /home/martin/.ssh/id_ecdsa: No such file or directory
 } debug1: Trying private key: /home/martin/.ssh/id_ed25519
 } debug3: no such identity: /home/martin/.ssh/id_ed25519: No such file or directory
 } debug2: we did not send a packet, disable method
 } debug1: No more authentication methods to try.
 } Permission denied (publickey).
 } 
 }-- End of excerpt from martin%NetBSD.org@localhost