You will not be able to login to ESXi 6 U2 with ssh-dss keys

I could not login to ESXi 6 host with my ssh keys. As root login with password was enabled, I could login using password. I checked for known symptoms. AuthorizedKeysFile points to the right location. AuthorizedKeysFile had my keys.

grep AuthorizedKeysFile /etc/ssh/sshd_config
AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys
cat /etc/ssh/keys-root/authorized_keys

What could be wrong?

ssh -vvv showed it was trying my private keys but it failed to authenticate.

debug1: Trying private key: /home/rtfmp/.ssh/id_dsa
debug1: PEM_read_PrivateKey failed

On the host with the issue, I ran tail -f /var/log/auth.log and tried to ssh to the host from a second terminal. I saw this

2016-03-30T12:07:38Z sshd[988143]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes

Now that I know the cause and solution, the message is straightforward. It wasn’t back then. By using the right combination of search terms

"userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes" + esxi

I found this blog post by someone who had recently faced the issue.

The host I could not ssh to was recently upgraded to ESXi 6 U2 which comes with OpenSSH v7.1. OpenSSH 7.0 and greater disables ssh-dss keys by default. It should be explicitly enabled in sshd_config.

echo 'PubkeyAcceptedKeyTypes ssh-dss' >> /etc/ssh/sshd_config

If your keys were created with ssh-rsa, you will not face this issue. Mine was created with ssh-dss.

  • Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
    by default at run-time. These may be re-enabled using the
    instructions at http://www.openssh.com/legacy.html

Via http://www.openssh.com/txt/release-7.0

Earlier versions of ESXi 6 has OpenSSH v6.6

ESXi 6.0 GA

[root@esxi6.0:~] ssh -V
OpenSSH_6.6.1p1, OpenSSL 1.0.1j 15 Oct 2014
[root@esxi6.0:~] vmware -lv
VMware ESXi 6.0.0 build-2809209
VMware ESXi 6.0.0 GA

ESXi 6 U1

[root@esxi6u1:~] ssh -V
OpenSSH_6.6.1p1, OpenSSL 1.0.1p 9 Jul 2015
[root@esxi6u1:~] vmware -lv
VMware ESXi 6.0.0 build-3380124
VMware ESXi 6.0.0 Update 1

ESXi 6 U2

[root@esxi6u1:~] ssh -V
OpenSSH_7.1p1, OpenSSL 1.0.1p 9 Jul 2015
[root@esxi6u1:~] vmware -lv
VMware ESXi 6.0.0 build-3620759
VMware ESXi 6.0.0 Update 2
Advertisements

2 thoughts on “You will not be able to login to ESXi 6 U2 with ssh-dss keys

    • Hey Hils, agreed. Ideally yes 🙂 Where I worked before, we had ssh-dss keys for several users and application accounts. We needed to be able to access ESXi 6 u2 with our current keys. Before we could generate new keys for all accounts, the quick solution was to enable ssh-dss on ESXi.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s