I'm trying to test the order in which keys are tried. One of the system's users is using DSA, so I'm trying to test it as an option. I'm getting a Bad key types.
$ ssh -vv -p 1522 jwalton@192.168.1.11
OpenSSH_7.1p1, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /Users/jwalton/.ssh/config
/Users/jwalton/.ssh/config line 2: Bad key types 'ssh-ed25519,ecdsa-sha2-nistp256,ssh-dsa,ssh-rsa'.I narrowed it down to ssh-dsa. According to ssh_config(5)
(its actually part of sshd_config(5), but its listed as a new ssh_config feature in the OpenSSH 7.0 release notes):
The -Q option of ssh(1) may be used to list supported key types.However, I can't seem to get it to work:
riemann::~$ ssh -Q
/usr/local/bin/ssh: option requires an argument -- Q
riemann::~$ ssh -Q dsa
Unsupported query "dsa"
riemann::~$ ssh -Q ssh-dsa
Unsupported query "ssh-dsa"
riemann::~$ ssh -Q ed25529
Unsupported query "ed25529"
riemann::~$ ssh -Q ssh-ed25529
Unsupported query "ssh-ed25529"
riemann::~$ ssh -Q PubkeyAcceptedKeyTypes
Unsupported query "PubkeyAcceptedKeyTypes"How does one use the ssh -Q option?
What is the key type for ssh-dsa?
2 Answers
Reading manual pages should help you:
-Q cipher | cipher-auth | mac | kex | key | protocol-versionQueries
sshfor the algorithms supported for the specified version 2. The available features are:cipher(supported symmetric ciphers),cipher-auth(supported symmetric ciphers that support authenticated encryption),mac(supported message integrity codes),kex(key exchange algorithms),key(key types) andprotocol-version(supported SSH protocol versions).
Calling ssh -Q key gives you what you want:
ssh -Q key
ssh-ed25519
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521This is new feature in openssh-7.0 so remember that it doesn't have to work in older versions.
ssh-dsa key type is ssh-dss and it is disabled by default in this version.
For reference, an answer posted in unix.stackexchange.com helped us fix the issue:
The new openssh version (7.0+) deprecated DSA keys and is not using DSA keys by default (not on server or client). The keys are not preferred to be used anymore, so if you can, I would recommend to use RSA keys where possible.
If you really need to use DSA keys, you need to explicitly allow them in your client config using
PubkeyAcceptedKeyTypes +ssh-dss Should be enough to put that line in ~/.ssh/config, as the verbose message is trying to tell you.