Thursday, March 17, 2016

VMware ESXi 6.0 Update 2 & SSH

So you upgraded to VMware ESXi 6.0 Update 2 and now your passwordless SSH login is no longer working?

Same happened to me yesterday.

Allowing SSH access to ESXi/ESX hosts with public/private key authentication (1002866)

is of no help because this no longer works.

It looks as if though your 'authorized_keys' file could not be found.

After searching around a bit ( admittedly a quite long bit) , I found out the cause and the solution.

In this file '/var/log/auth.log' there are entries that show this
userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes
Seems that this is a hint.

Following that, I quite quickly got the impressions that this update has changes to SSH in it.
Apparently it includes a new version of SSH.

To verify this: let's try:
ssh -V
OpenSSH_7.1p1, OpenSSL 1.0.1p 9 Jul 2015
So OK, that is a new version.

Further following this road gets me here:

This reads:
 * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
   by default at run-time. These may be re-enabled using the
   instructions at

So OK, let's go there:

Here I read:
OpenSSH 7.0 and greater similarly disables the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use. It can be re-enabled using the HostkeyAlgorithms configuration option:
ssh -oHostKeyAlgorithms=+ssh-dss user@

or in the ~/.ssh/config file:
 HostkeyAlgorithms ssh-dss

So OK, but how do I enable it?

Lets see. Clearly we need to edit the file '/etc/ssh/sshd_config'.
So after having created a backup of this file (and having me ending up locked out several times), I added two and tow together and tried this:
vi /etc/ssh/sshd_config

Here I added the line
HostkeyAlgorithms ssh-dss
 Then restart the SSH daemon
/etc/init.d/SSH restart

But. It still doesn't work.

OK, but I still think this is the right way to go.

Restore the backuped file.
So we add two and three together which looks like this:

vi /etc/ssh/sshd_config
Now I add the line
PubkeyAcceptedKeyTypes ssh-dss
Then again:
 /etc/init.d/SSH restart

Et voilĂ . It works.

So all you have to do is add the line

PubkeyAcceptedKeyTypes ssh-dss
to the file ' /etc/ssh/sshd_config' and then restart the SSH daemon using
 /etc/init.d/SSH restart
That's it.


benjamin rualthanzauva said...

Thank you so much for saving my day! Thank you for the solution and the reason behind it.

benjamin rualthanzauva said...

sh -V should ssh -V

Michael said...

You should regenerate your keys with RSA and not edit your ssh config files to accept a lower level of security with DSS keys. JMHO.