OpenSSH 7.0 & greater disable ssh-dss by default. http://bit.ly/2vZBMyH

If you upgrade OpenSSH, to 7.1.102.1100 on AIX for example, you may notice that you're unable to login afterwards, with ssh-dss keys. In syslog you'll see messages similar to this:

Syslog: Sep 11 15:40:34 cgaix auth|security:info sshd[9961802]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]

# lslpp -l openssh\*
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
openssh.base.client 7.1.102.1100 COMMITTED Open Secure Shell Commands
openssh.base.server 7.1.102.1100 COMMITTED Open Secure Shell Server
openssh.man.en_US 7.1.102.1100 COMMITTED Open Secure Shell
Documentation - U.S. English
openssh.msg.en_US 6.0.0.6201 COMMITTED Open Secure Shell Messages -
U.S. English

Path: /etc/objrepos
openssh.base.client 7.1.102.1100 COMMITTED Open Secure Shell Commands
openssh.base.server 7.1.102.1100 COMMITTED Open Secure Shell Server

From the OpenSSH website: https://www.openssh.com/legacy.html

"OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use. It can be re-enabled using the HostKeyAlgorithms configuration option:

ssh -oHostKeyAlgorithms=+ssh-dss user@legacyhost

or in the ~/.ssh/config file:

Host somehost.example.org

HostKeyAlgorithms +ssh-dss"

The recommendation is to stop using DSA and move to something stronger, like RSA or ECDSA.

If you're stuck and you have a lot of users with ssh-dss keys, you could enable it (temporarily) by adding the following line to your /etc/ssh/sshd_config file and restarting sshd:

# grep Acc /etc/ssh/sshd_config
PubkeyAcceptedKeyTypes=+ssh-dss

# stopsrc -s sshd ; sleep 5 ; startsrc -s sshd