DirectSecure, Authentication Service, Mac & PC Management Service, Auditing and Monitoring Service
000007050
OpenSSH 7.0 and above has DSA keys disabled by default for security reasons. It is recommended to use RSA keys only now but if DSA keys are still needed, this article describes how to re-enable them.
Applies to: Any version of Centrify OpenSSH based on openssh 7.0 and higher
How to: OpenSSH 7.0 now has DSA keys disabled by default due to security risks as reported by openssh. Release notes on this can be found here for more information. If DSA keys are still required when using the newer versions of openssh, there is a way to re-enable their use, however, It is recommended to change to using only RSA keys as soon as possible.
Process: To re-enable DSA keys, please edit the following file:
/etc/centrifydc/ssh/sshd_config
(For stock openssh: /etc/ssh/sshd_config)
and scroll to the bottom. Please enter the following line into the bottom of the file:
PubkeyAcceptedKeyTypes=+ssh-dss
NOTE: Please make sure both client side and server side has the configuration above. While on client side, please add the following entry into /etc/centrifydc/ssh/ssh_config:
PubkeyAcceptedKeyTypes=+ssh-dss
You can then save and close the file and Centrify openssh should begin working normally using DSA keys again.
