NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bin/50148: new ssh does not work at all
The following reply was made to PR bin/50148; it has been noted by GNATS.
From: John Nemeth <jnemeth%cue.bc.ca@localhost>
To: gnats-bugs%NetBSD.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Cc:
Subject: Re: bin/50148: new ssh does not work at all
Date: Fri, 14 Aug 2015 00:55:19 -0700
On Aug 14, 6:55am, martin%NetBSD.org@localhost wrote:
}
} >Number: 50148
} >Synopsis: new ssh does not work at all
} >Severity: critical
} >Priority: high
} >Responsible: bin-bug-people
} >State: open
} >Class: sw-bug
} >Arrival-Date: Fri Aug 14 06:55:00 +0000 2015
} >Originator: Martin Husemann
} >Release: NetBSD 7.99.20
} >Description:
}
} Since updating to the new ssh yesterday, I can't connect anywhere:
}
} [snip]
}
} debug1: Authentications that can continue: publickey
} debug3: start over, passed a different list publickey
} debug3: preferred kerberos-2%ssh.com@localhost,publickey,keyboard-interactive,password
} debug3: authmethod_lookup publickey
} debug3: remaining preferred: keyboard-interactive,password
} debug3: authmethod_is_enabled publickey
} debug1: Next authentication method: publickey
} debug1: Skipping ssh-dss key /home/martin/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes
I think the issue is here. Reading the release announcement,
I see that they have been disabling/deprecating all sorts of things,
in the name of improving security (and intend to do more of this
in the next release). Apparently, they don't think backwards
compatibility is important.
>From the announcment:
-----
[...]
Changes since OpenSSH 6.9
=========================
This focus of this release is primarily to deprecate weak, legacy
and/or unsafe cryptography.
[...]
Potentially-incompatible Changes
--------------------------------
* Support for the legacy SSH version 1 protocol is disabled by
default at compile time.
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
is disabled by default at run-time. It may be re-enabled using
the instructions at http://www.openssh.com/legacy.html
* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
by default at run-time. These may be re-enabled using the
instructions at http://www.openssh.com/legacy.html
* Support for the legacy v00 cert format has been removed.
* The default for the sshd_config(5) PermitRootLogin option has
changed from "yes" to "prohibit-password".
* PermitRootLogin=without-password/prohibit-password now bans all
interactive authentication methods, allowing only public-key,
hostbased and GSSAPI authentication (previously it permitted
keyboard-interactive and password-less authentication if those
were enabled).
-----
martin's issue is the third point.
On a slightly different, but similar issue, I sure hope we
have reversed the first point (SSHv1 being disabled at compile
time). I still use SSHv1 for connecting to older, but perfectly
functional routers. What do they expect me to do, switch to using
telnet, which would be the only alternative. "Replace the routers"
is not a good answer.
} debug1: Trying private key: /home/martin/.ssh/id_rsa
} debug3: no such identity: /home/martin/.ssh/id_rsa: No such file or directory
} debug1: Trying private key: /home/martin/.ssh/id_ecdsa
} debug3: no such identity: /home/martin/.ssh/id_ecdsa: No such file or directory
} debug1: Trying private key: /home/martin/.ssh/id_ed25519
} debug3: no such identity: /home/martin/.ssh/id_ed25519: No such file or directory
} debug2: we did not send a packet, disable method
} debug1: No more authentication methods to try.
} Permission denied (publickey).
}
}-- End of excerpt from martin%NetBSD.org@localhost
Home |
Main Index |
Thread Index |
Old Index