[opensuse] SSH Public Key Authentication Broken By Upgrade [zypper dup]
After doing a zypper dup to 15.1 all appears to be working great - as expected - except however for SSH public key authentication. GNOME does not prompt for the passphrase and authentication falls back to password mode [assuming the server allows it]. Tips / pointers? __agent is running, correctly linked in environment__ awilliam@beast01:~> ps ax | grep key ... 7245 ? S 0:00 /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh awilliam@beast01:~> ls -l /run/user/1000/keyring/.ssh srw------- 1 awilliam users 0 Oct 17 08:39 /run/user/1000/keyring/.ssh awilliam@beast01:~> env | grep SSH SSH_AUTH_SOCK=/run/user/1000/keyring/ssh SSH_ASKPASS=/usr/lib/ssh/ssh-askpass SSH_AGENT_PID=3113 __OS Relase__ awilliam@beast01:/etc> cat os-release NAME="openSUSE Leap" VERSION="15.1 " ID="opensuse-leap" ID_LIKE="suse opensuse" VERSION_ID="15.1" PRETTY_NAME="openSUSE Leap 15.1" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:leap:15.1" BUG_REPORT_URL="https://bugs.opensuse.org" HOME_URL="https://www.opensuse.org/" __agent knows the keys__ awilliam@beast01:/etc> ssh-add -l 1024 SHA256:Mom8WjkrR5gYjlRXsH4ROtA7HcsvC0UI/2c+BFsEp0U ogo@workflow.mormail.com (DSA) 1024 SHA256:xVXJ4TscK0z/lZRf6t6n/9yt3G9sIxy46bmGd2RDCr4 awilliam@linux-yu4c.site (DSA) 1024 SHA256:ZNRZeqkdHCI266I72nNCOiwagJ85XLScOkmEtwYIilk awilliam@linux-86wr.site (DSA) __entering the passphrase 'works' but is not effective__ awilliam@beast01:/etc> ssh-add Enter passphrase for /home/awilliam/.ssh/id_dsa: Identity added: /home/awilliam/.ssh/id_dsa (/home/awilliam/.ssh/id_dsa) __gcr-ssh-askpass is installed__ awilliam@beast01:~> ls -l /usr/lib/gcr-ssh-askpass -rwxr-xr-x 1 root root 43920 Feb 24 2019 /usr/lib/gcr-ssh-askpass awilliam@beast01:~> rpm -qf /usr/lib/gcr-ssh-askpass gcr-ssh-askpass-3.28.1-lp151.1.1.x86_64 -- Adam Tauno Williams <mailto:awilliam@whitemice.org> GPG D95ED383 OpenGroupware Developer <http://www.opengroupware.us/> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2019-10-17 at 08:53 -0400, Adam Tauno Williams wrote:
After doing a zypper dup to 15.1 all appears to be working great - as expected - except however for SSH public key authentication. GNOME does not prompt for the passphrase and authentication falls back to password mode [assuming the server allows it].
It is working for me, 15.1 client to 15.host, using the XFCE desktop, which uses the gnome stack.
Tips / pointers?
__agent is running, correctly linked in environment__ awilliam@beast01:~> ps ax | grep key ... 7245 ? S 0:00 /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh
cer@Telcontar:~> ps ax | grep key 18553 ? SLl 0:00 gnome-keyring-daemon --start <======= 21495 ? S 0:00 /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh 31302 pts/37 S+ 0:00 grep --color=auto key cer@Telcontar:~>
awilliam@beast01:~> ls -l /run/user/1000/keyring/.ssh srw------- 1 awilliam users 0 Oct 17 08:39 /run/user/1000/keyring/.ssh
cer@Telcontar:~> l /run/user/1000/keyring/.ssh srw------- 1 cer users 0 Oct 13 09:23 /run/user/1000/keyring/.ssh= cer@Telcontar:~> The '=' is missing in yours. cer@Telcontar:~> file /run/user/1000/keyring/.ssh /run/user/1000/keyring/.ssh: socket cer@Telcontar:~> - -- Cheers, Carlos E. R. (from openSUSE 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXaiVshwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVxfkAoIEfCUJYSzoqzv+GuAk6 meiBzM8JAKCOCX8rDx8MPz0e48evSS1tsUxt1g== =/hs8 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
17.10.2019 19:24, Carlos E. R. пишет:
awilliam@beast01:~> ls -l /run/user/1000/keyring/.ssh srw------- 1 awilliam users 0 Oct 17 08:39 /run/user/1000/keyring/.ssh
cer@Telcontar:~> l /run/user/1000/keyring/.ssh srw------- 1 cer users 0 Oct 13 09:23 /run/user/1000/keyring/.ssh= cer@Telcontar:~>
The '=' is missing in yours.
Because your alias "l" does something different than "ls -l".
Hello, Am 17. Oktober 2019, 14:53:35 CEST schrieb Adam Tauno Williams:
After doing a zypper dup to 15.1 all appears to be working great - as expected - except however for SSH public key authentication.
__agent knows the keys__ awilliam@beast01:/etc> ssh-add -l 1024 SHA256:Mom8WjkrR5gYjlRXsH4ROtA7HcsvC0UI/2c+BFsEp0U ogo@workflow.mormail.com (DSA) 1024 SHA256:xVXJ4TscK0z/lZRf6t6n/9yt3G9sIxy46bmGd2RDCr4 awilliam@linux-yu4c.site (DSA) 1024 SHA256:ZNRZeqkdHCI266I72nNCOiwagJ85XLScOkmEtwYIilk awilliam@linux-86wr.site (DSA)
The default sshd config in Leap 15.x no longer allows DSA keys. Create and use a key in a newer format (for example, I picked ED25519), or adjust the sshd config to allow DSA keys again. Regards, Christian Boltz -- * cboltz votes for the boring version - can't <sarnold> that's a bit informal for a mandatory security platform :) <sbeattie> ah, but you see, contractions are informal, and we can't, err can not, err cannot, err can ?not have that. [from #apparmor, while discussing bugzilla.novell.com/853661] -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
18.10.2019 1:05, Christian Boltz пишет:
Hello,
Am 17. Oktober 2019, 14:53:35 CEST schrieb Adam Tauno Williams:
After doing a zypper dup to 15.1 all appears to be working great - as expected - except however for SSH public key authentication.
__agent knows the keys__ awilliam@beast01:/etc> ssh-add -l 1024 SHA256:Mom8WjkrR5gYjlRXsH4ROtA7HcsvC0UI/2c+BFsEp0U ogo@workflow.mormail.com (DSA) 1024 SHA256:xVXJ4TscK0z/lZRf6t6n/9yt3G9sIxy46bmGd2RDCr4 awilliam@linux-yu4c.site (DSA) 1024 SHA256:ZNRZeqkdHCI266I72nNCOiwagJ85XLScOkmEtwYIilk awilliam@linux-86wr.site (DSA)
The default sshd config in Leap 15.x no longer allows DSA keys.
Create and use a key in a newer format (for example, I picked ED25519), or adjust the sshd config to allow DSA keys again.
What key type corresponds to DSA? I do not see it in key list (ssh -Q key); there are ssh-rsa and ssh-dss. Does ssh-dss stand for DSA? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 18/10/2019 06.31, Andrei Borzenkov wrote:
18.10.2019 1:05, Christian Boltz пишет:
Hello,
Am 17. Oktober 2019, 14:53:35 CEST schrieb Adam Tauno Williams:
After doing a zypper dup to 15.1 all appears to be working great - as expected - except however for SSH public key authentication.
__agent knows the keys__ awilliam@beast01:/etc> ssh-add -l 1024 SHA256:Mom8WjkrR5gYjlRXsH4ROtA7HcsvC0UI/2c+BFsEp0U ogo@workflow.mormail.com (DSA) 1024 SHA256:xVXJ4TscK0z/lZRf6t6n/9yt3G9sIxy46bmGd2RDCr4 awilliam@linux-yu4c.site (DSA) 1024 SHA256:ZNRZeqkdHCI266I72nNCOiwagJ85XLScOkmEtwYIilk awilliam@linux-86wr.site (DSA)
The default sshd config in Leap 15.x no longer allows DSA keys.
Create and use a key in a newer format (for example, I picked ED25519), or adjust the sshd config to allow DSA keys again.
What key type corresponds to DSA? I do not see it in key list (ssh -Q key); there are ssh-rsa and ssh-dss. Does ssh-dss stand for DSA?
There is a "(DSA)" at the end of each entry ;-) -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Oct 18, 2019 at 10:31 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
On 18/10/2019 06.31, Andrei Borzenkov wrote:
18.10.2019 1:05, Christian Boltz пишет:
Hello,
Am 17. Oktober 2019, 14:53:35 CEST schrieb Adam Tauno Williams:
After doing a zypper dup to 15.1 all appears to be working great - as expected - except however for SSH public key authentication.
__agent knows the keys__ awilliam@beast01:/etc> ssh-add -l 1024 SHA256:Mom8WjkrR5gYjlRXsH4ROtA7HcsvC0UI/2c+BFsEp0U ogo@workflow.mormail.com (DSA) 1024 SHA256:xVXJ4TscK0z/lZRf6t6n/9yt3G9sIxy46bmGd2RDCr4 awilliam@linux-yu4c.site (DSA) 1024 SHA256:ZNRZeqkdHCI266I72nNCOiwagJ85XLScOkmEtwYIilk awilliam@linux-86wr.site (DSA)
The default sshd config in Leap 15.x no longer allows DSA keys.
Create and use a key in a newer format (for example, I picked ED25519), or adjust the sshd config to allow DSA keys again.
What key type corresponds to DSA? I do not see it in key list (ssh -Q key); there are ssh-rsa and ssh-dss. Does ssh-dss stand for DSA?
There is a "(DSA)" at the end of each entry ;-)
And how does it answer my question? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 18/10/2019 11.23, Andrei Borzenkov wrote:
On Fri, Oct 18, 2019 at 10:31 AM Carlos E. R. <> wrote:
On 18/10/2019 06.31, Andrei Borzenkov wrote:
18.10.2019 1:05, Christian Boltz пишет:
Hello,
Am 17. Oktober 2019, 14:53:35 CEST schrieb Adam Tauno Williams:
After doing a zypper dup to 15.1 all appears to be working great - as expected - except however for SSH public key authentication.
__agent knows the keys__ awilliam@beast01:/etc> ssh-add -l 1024 SHA256:Mom8WjkrR5gYjlRXsH4ROtA7HcsvC0UI/2c+BFsEp0U ogo@workflow.mormail.com (DSA) 1024 SHA256:xVXJ4TscK0z/lZRf6t6n/9yt3G9sIxy46bmGd2RDCr4 awilliam@linux-yu4c.site (DSA) 1024 SHA256:ZNRZeqkdHCI266I72nNCOiwagJ85XLScOkmEtwYIilk awilliam@linux-86wr.site (DSA)
The default sshd config in Leap 15.x no longer allows DSA keys.
Create and use a key in a newer format (for example, I picked ED25519), or adjust the sshd config to allow DSA keys again.
What key type corresponds to DSA? I do not see it in key list (ssh -Q key); there are ssh-rsa and ssh-dss. Does ssh-dss stand for DSA?
There is a "(DSA)" at the end of each entry ;-)
And how does it answer my question?
Sorry, doesn't it answer your question? How is that? Maybe you have to rephrase your question so that retards like me understand it. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am Freitag, 18. Oktober 2019, 11:23:46 CEST schrieb Andrei Borzenkov:
What key type corresponds to DSA? I do not see it in key list (ssh -Q key); there are ssh-rsa and ssh-dss. Does ssh-dss stand for DSA?
There is a "(DSA)" at the end of each entry ;-)
And how does it answer my question?
It doesn't. The answer to your question is "yes", the ssh key algoritm ssh-dss relates to DSA keys. /Andreas -- Time flies like an arrow. Fruit flies like a banana. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
18.10.2019 14:42, Andreas Mahel пишет:
Am Freitag, 18. Oktober 2019, 11:23:46 CEST schrieb Andrei Borzenkov:
What key type corresponds to DSA? I do not see it in key list (ssh -Q key); there are ssh-rsa and ssh-dss. Does ssh-dss stand for DSA?
There is a "(DSA)" at the end of each entry ;-)
And how does it answer my question?
It doesn't. The answer to your question is "yes", the ssh key algoritm ssh-dss relates to DSA keys.
Thanks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/17/2019 11:31 PM, Andrei Borzenkov wrote:
What key type corresponds to DSA? I do not see it in key list (ssh -Q key); there are ssh-rsa and ssh-dss. Does ssh-dss stand for DSA?
dsa keys were removed 3+ years ago due to the crypto algorithm having been busted. For years type ssh-keygen -t dsa would produce id_dsa id_dsa.pub keys instead of rsa. After dsa was removed, you could still use ecdsa keys. But it has gotten to the point you may as well just stick with rsa. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Adam Tauno Williams -
Andreas Mahel -
Andrei Borzenkov -
Carlos E. R. -
Christian Boltz -
David C. Rankin