Deprecating DSA

So last week I updated one of my home servers from Ubuntu Server 14.04 to 16.04. During the upgrade a number of packages got upgraded, many of which I simply glossed over as the server was in a relatively vanilla state and the only service it’s running is Plex. openSSH was one such package that was upgraded, moving from v6.6 to v7.2 .

I completed my upgrade and tested Plex was working fine, and thought no more of it until a week or so later when I tried SSH’ing into my server only to be met with an error from PuTTY stating ‘Server Refused our Key’.

A bit of head-scratching and research later and I discovered that version 7.x of openSSH has made a change to deprecate DSA keypairs. It’s not a recent change, with articles appearing from February 2016, but with version 7.x of openSSH making it into stable distributions, it is worth highlighting before users upgrade their systems.

Consequence

The consequences of voided DSA Keypairs is that any users who have locked down their SSHD configuration to only allow keypair authentication and rely on a DSA keypair will suddenly find themselves unable to gain remote access to their system. Not a problem if you’ve got KVM access, but if you’re limited to remote connectivity this is a bit of a problem.

Background

So why have DSA keypairs been deprecated? The OpenSSH changelog provides the following insight:

Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has been disabled by default at runtime due to their inherit weakness. If you rely on these key types, you will have to take corrective action or risk being locked out.

Your best option is to generate new keys using strong algos such as rsa or ecdsa or ed25519. RSA keys will give you the greatest portability with other clients/servers while ed25519 will get you the best security with OpenSSH.

Good to know, but not very helpful. For a better answer I recommend reading the following post on StackExchange: http://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys

Identification

If you’ve been locked out of your system, you can quickly identify the error.

Client

First, check if you’re using public/private key authentication.

For PuTTY under Windows, load your profile then check under Connection > SSH > Auth . If there is a ‘Private Key file for authentication’ set, then you are using a keypair. If you’re not loading a profile and just entering the Session Host Name (or IP Address) by hand every time, then keypairs are not in use.

For CLI based SSH clients, your SSH keys are typically located in your home directory under the .ssh folder

user@host$ ls -al ~/.ssh

If this directory does not exist, empty, or does not contain the following files then you are not using a keypair and your problem is elsewhere.

Normally the keys will identify their type with the file name.

Private Keys:

  • id_dsa
  • id_ecdsa
  • id_ed25519
  • id_rsa

Public Keys:

  • id_dsa.pub
  • id_ecdsa.pub
  • id_ed25519.pub
  • id_rsa.pub

You can instead cat or edit the private key file to view the type of key it is. The top of the file should denote the type of key, e.g:

-----BEGIN DSA PRIVATE KEY-----
<key>
-----END DSA PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,EDB7CDA153A7DBC1

<key>
-----END RSA PRIVATE KEY-----

Server

If you or some of your users suspect they’ve been locked out of the system because of this deprecation, then you can identify this by viewing the authentication log

cat /var/log/auth.log

You should see something similar to the following for each fai

Sep 2 16:24:48 plex sshd[3634]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]
Sep 2 16:24:48 plex sshd[3634]: error: Received disconnect from <source_ip> port 49303:14: No supported authentication methods available [preauth]
Sep 2 16:24:48 plex sshd[3634]: Disconnected from <source_ip> port 49303 [preauth]

Workaround

So you can optionally ignore all of these changes and manually reinstate  DSA keypair support in openSSH Server. To do so, edit /etc/ssh/sshd.conf in your favourite text editor and add the following line:

PubkeyAcceptedKeyTypes=+ssh-dss

Prevention

Short of gaining physical or (remote) KVM access to your machine, once you’ve lost access to a system that is set up to only allow authorised keypair authentication, you’re a little screwed. The best thing to do is to delay any upgrades to openSSH until you and all your users have changed their keypairs to RSA.

New Keypair generation

  • To generate a new keypair, run the following command
user@host$ ssh-keygen -t rsa -b 4096 -C "your_email_address@domain.com"
  • When prompted with ‘Enter a file in which to save the key’, press enter to save it in its default location (~/.ssh/)
  • When prompted. enter a secure passphrase.

Inside your ~/.ssh/ directory you should now have a id_rsa and id_rsa.pub file.

  • Copy the id_rsa.pub file to your server’s ~/.ssh/ directory for the account you wish to SSH into.

Make sure to store your id_rsa file in a safe place.

Author: TFindley

Tristan is an IT Professional, Photographer and motorcycle enthusiast. Working full-time as a Systems Administrator for Royal Holloway, but running his own photography company, and the occasional IT Contract. Tristan has been riding motorcycles since 2016, and is the original author of "My First Motorcycle", the forerunner to this site. He built it with the intention of providing a resource to those interested in riding, and to give something back to the community that had helped get him started in the world of motorcycles.

2 thoughts on “Deprecating DSA”

Leave a Reply