fatal: Fssh_packet_write_poll: Connection from xxx.xxx.xx.xx port yyyyy: Permission denied

Allan Jude allanjude at freebsd.org
Tue Nov 22 15:47:23 UTC 2016 

On 2016-11-22 02:37, KIRIYAMA Kazuhiko wrote:
> Hi, all
> 
> I've updated to HEAD(r308871) at 2 days ago, and also ports
> too(r426562). Then all stuffs including applications have
> been updated and tried to slogin to this host,but can't
> connect with the message `userauth_pubkey: key type ssh-dss
> not in PubkeyAcceptedKeyTypes [preauth]' in
> /var/log/auth.log. I found new OpenSSH-7.* has not been
> supported DSA and to connect from client with old ssh(lower
> than OpenSSH-7.0),set `ssh-dss' or some values set to
> relevant variables in /etc/ssh/sshd_config. According to [1]
> and [2] I've set these variables as below:
> 
> PubkeyAcceptedKeyTypes=+ssh-dss
> HostKeyAlgorithms=+ssh-dss
> KexAlgorithms=+diffie-hellman-group-exchange-sha256
> 
> and successfully slogined:
> 

snip

> 
> And with the message `fatal: Fssh_packet_write_poll:
> Connection from xxx.xxx.xx.xx port yyyyy: Permission denied'
> in /var/log/auth.log:
> 
> 
> Nov 22 16:07:51 kx sshd[73878]: Accepted publickey for admin from xxx.xxx.xx.xx port 64147 ssh2: DSA SHA256:6uPsONRWeNkYjlj9BU4GZYUUeH60ZbUCB25jolvrvj8
> Nov 22 16:07:51 kx sshd[73880]: fatal: Fssh_packet_write_poll: Connection from xxx.xxx.xx.xx port 64147: Permission denied
> 
> 
> Is there any suggesions?
> My environments are as follows:
> 
> - Server:
> 
> admin at kx:~ % uname -a
> FreeBSD kx.truefc.org 12.0-CURRENT FreeBSD 12.0-CURRENT #13 r308871M: Sun Nov 20 15:51:21 JST 2016     admin at kx.truefc.org:/usr/obj/usr/src/sys/XIJ  amd64
> admin at kx:~ % ssh -V
> OpenSSH_7.2p2, OpenSSL 1.0.2j-freebsd  26 Sep 2016
> admin at kx:~ % 
> 
> - Client:
> 
> kiri at kazu:~[995]% uname -a
> FreeBSD kazu.pis 9.2-STABLE FreeBSD 9.2-STABLE #5 r259404M: Mon Dec 16 00:12:52 JST 2013     admin at kazu.pis:/usr/obj/usr/src/sys/GENERIC  amd64
> kiri at kazu:~[996]% ssh -V
> OpenSSH_6.2p2, OpenSSL 0.9.8y 5 Feb 2013
> kiri at kazu:~[997]% 
> 
> 
> Best regards.
> 
> 
> [1] https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
> [2] https://lists.freebsd.org/pipermail/freebsd-current/2016-August/062853.html
> 
> ---
> KIRIYAMA Kazuhiko
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
> 


Newer versions of OpenSSH, like the one shipped in 11.0 and 12-current,
do not accept DSA keys anymore. You will need to use RSA keys, or the
newer ECDSA or ED25519 key types.

-- 
Allan Jude

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20161122/97aa4364/attachment.sig>

More information about the freebsd-current mailing list