OpenSSH 7.0 & greater disable ssh-dss by default.OpenSSH 7.0 & greater disable ssh-dss by default. http If you upgrade OpenSSH, to 7.1.102.1100 on AIX for example, you may notice that you're unable to login afterwards, with ssh-dss keys. In syslog you'll see messages similar to this:
Syslog: Sep 11 15:40:34 cgaix auth|security:info sshd[9961802]: userauth_pubkey: key type ssh-dss not in Pubk
# lslpp -l openssh\* Path: /etc/objrepos
From the OpenSSH webs
"OpenSSH 7.0 and greater similarly disable the
ssh-dss (DSA) public key algorithm. It too is weak and we recommend
against its use. It can be re-enabled using the HostKeyAlgorithms
configuration option:
ssh -oHo
or in the ~/.ssh/config file:
Host some
HostKeyAlgorithms +ssh-dss"
The recommendation is to stop using DSA and move to something stronger, like RSA or ECDSA.
If you're stuck and you have a lot of users with ssh-dss
keys, you could enable it (temporarily) by adding the following line to
your /etc
# grep Acc /etc # stopsrc -s sshd ; sleep 5 ; startsrc -s sshd
|
Hi Anpodila, no, I have not seen this problem. Perhaps it was broken before the update. Try reinstalling the openssh.man.en_US fileset.
MAN PAGES BROKEN IN OPENSSH 7.5
After I update to Openssh 7.5 man pages are broken with error message similar to below.
Reformatting page. Wait.../usr/bin/nroff: Argument not valid for .Dt ; line 26, file <standard input> finished
Any idea of it?
Hi Ricky, that's not something I've tested. However, I did notice that the README states: "Support for TCP_Wrappers is removed by OpenSSH community"! The REAMD file is here: https://ibm.co/2nm7YFu. Is there anything interesting in syslog? Check this link as well: http://www-01.ibm.com/support/docview.wss?uid=isg3T1025737. The only way I can think of fixing this, would be to download the openssh src code and compile it, with tcp_wrapper support enabled.
Hi Chris, I found after I upgrade to SSH 7.5 on AIX 7.1, TCP wrapper no longer effective. Do you have any idea?