PubkeyAcceptedKeyTypes and ssh-dsa key type

I'm trying to test the order in which keys are tried. One of the system's users is using DSA, so I'm trying to test it as an option. I'm getting a Bad key types.

$ ssh -vv -p 1522 jwalton@192.168.1.11
OpenSSH_7.1p1, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /Users/jwalton/.ssh/config
/Users/jwalton/.ssh/config line 2: Bad key types 'ssh-ed25519,ecdsa-sha2-nistp256,ssh-dsa,ssh-rsa'.

I narrowed it down to ssh-dsa. According to ssh_config(5) (its actually part of sshd_config(5), but its listed as a new ssh_config feature in the OpenSSH 7.0 release notes):

 The -Q option of ssh(1) may be used to list supported key types.

However, I can't seem to get it to work:

riemann::~$ ssh -Q
/usr/local/bin/ssh: option requires an argument -- Q
riemann::~$ ssh -Q dsa
Unsupported query "dsa"
riemann::~$ ssh -Q ssh-dsa
Unsupported query "ssh-dsa"
riemann::~$ ssh -Q ed25529
Unsupported query "ed25529"
riemann::~$ ssh -Q ssh-ed25529
Unsupported query "ssh-ed25529"
riemann::~$ ssh -Q PubkeyAcceptedKeyTypes
Unsupported query "PubkeyAcceptedKeyTypes"

How does one use the ssh -Q option?

What is the key type for ssh-dsa?

2 Answers

Reading manual pages should help you:

 -Q cipher | cipher-auth | mac | kex | key | protocol-version

Queries ssh for the algorithms supported for the specified version 2. The available features are: cipher (supported symmetric ciphers), cipher-auth (supported symmetric ciphers that support authenticated encryption), mac (supported message integrity codes), kex (key exchange algorithms), key (key types) and protocol-version (supported SSH protocol versions).

Calling ssh -Q key gives you what you want:

ssh -Q key
ssh-ed25519
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521

This is new feature in openssh-7.0 so remember that it doesn't have to work in older versions.

ssh-dsa key type is ssh-dss and it is disabled by default in this version.

13

For reference, an answer posted in unix.stackexchange.com helped us fix the issue:

The new openssh version (7.0+) deprecated DSA keys and is not using DSA keys by default (not on server or client). The keys are not preferred to be used anymore, so if you can, I would recommend to use RSA keys where possible.

If you really need to use DSA keys, you need to explicitly allow them in your client config using

PubkeyAcceptedKeyTypes +ssh-dss Should be enough to put that line in ~/.ssh/config, as the verbose message is trying to tell you.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like