This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Every time I run ssh, ssh prompts "password:" with latest OpenSSH package.

From: Hiroyuki Kurokawa <kurokawh at gmail dot com>
To: cygwin at cygwin dot com
Date: Thu, 3 Sep 2015 14:57:28 +0900
Subject: Re: Every time I run ssh, ssh prompts "password:" with latest OpenSSH package.
Authentication-results: sourceware.org; auth=none
References: <CABs5vS7UPWPps5ByU9L60z5PSszRNTkFAaQ+DK0e8HZNWDGXPQ at mail dot gmail dot com> <779534835 dot 20150902194715 at yandex dot ru> <CABs5vS4TxToA=5u5MysSg1+izeL2FepjKbQzkeqvOKxNyOdDUQ at mail dot gmail dot com> <833769153 dot 20150903064857 at yandex dot ru>

Hi Andrey,

> This is not the right solution. Right solution would be to change your keys.
> While DSA keys aren't inherently insecure (quite opposite), FIPS compliant
> systems enforce DSA key length to 1024 bits, which is considered to be weak
> nowadays. You CAN use longer DSA keys, but not all systems support it.

I created a new 2048-bit RSA key and confirmed that ssh works fine with
this key & latest OpenSSH package without PubkeyAcceptedKeyTypes configuration.

Thanks,
Hiroyuki Kurokawa


2015-09-03 12:48 GMT+09:00 Andrey Repin <anrdaemon@yandex.ru>:
> Greetings, Hiroyuki Kurokawa!
>
>> Thanks Andrey for reply to my question.
>
>> George gave me an advice by a direct mail.
>> And his instruction solve my problem.
>
>>> If you use dsa key type, you need to add to your ssh client configuration file, either ~/.ssh/config or /etc/ssh_config, the following parameter:
>>>
>>> PubkeyAcceptedKeyTypes +ssh-dss
>>>
>>> If you use some other key type, then 'ssh -Q key' will list all supported key types, pick the right one and put it into config file instead of ssh-dss.
>>>
>>> I had the same problem after the last ssh upgrade.
>
>> Now the latest ssh works fine with ~/.ssh/config which contains
>> "PubkeyAcceptedKeyTypes +ssh-dss" because a type of my key is DSA.
>
>> I appreciate George so much.
>
> This is not the right solution. Right solution would be to change your keys.
> While DSA keys aren't inherently insecure (quite opposite), FIPS compliant
> systems enforce DSA key length to 1024 bits, which is considered to be weak
> nowadays. You CAN use longer DSA keys, but not all systems support it.
>
>
> --
> With best regards,
> Andrey Repin
> Thursday, September 3, 2015 06:46:29
>
> Sorry for my terrible english...
>



-- 
éåèä
kurokawh@gmail.com

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

References:
- Every time I run ssh, ssh prompts "password:" with latest OpenSSH package.
  - From: Hiroyuki Kurokawa
- Re: Every time I run ssh, ssh prompts "password:" with latest OpenSSH package.
  - From: Andrey Repin
- Re: Every time I run ssh, ssh prompts "password:" with latest OpenSSH package.
  - From: Hiroyuki Kurokawa
- Re: Every time I run ssh, ssh prompts "password:" with latest OpenSSH package.
  - From: Andrey Repin

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]