KB-7050: How to Re-enable DSA keys when using OpenSSH 7.0 and above

Tips for finding Knowledge Articles

- Enter just a few key words related to your question or problem
- Add Key words to refine your search as necessary
- Do not use punctuation
- Search is not case sensitive
- Avoid non-descriptive filler words like "how", "the", "what", etc.
- If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
- Minimum supported Internet Explorer version is IE9

No related Articles

Home >

KB-7050: How to Re-enable DSA keys when using OpenSSH 7.0 and above

Product:

Centrify DirectAudit , Centrify DirectControl , Centrify DirectSecure , Centrify Identity Service, Mac Edition ,

Published:

29 March,18 at 01:21 PM

Rating:

Applies to: Any version of Centrify OpenSSH based on openssh 7.0 and higher

How to:
OpenSSH 7.0 now has DSA keys disabled by default due to security risks as reported by openssh. Release notes on this can be found here for more information. If DSA keys are still required when using the newer versions of openssh, there is a way to re-enable their use, however, It is recommended to change to using only RSA keys as soon as possible.

Process:
To re-enable DSA keys, please edit the following file:

/etc/centrifydc/ssh/sshd_config

and scroll to the bottom. Please enter the following line into the bottom of the file:

PubkeyAcceptedKeyTypes=+ssh-dss

NOTE: Please make sure both client side and server side has the configuration above. While on client side, please add the following entry into /etc/centrifydc/ssh/ssh_config:

PubkeyAcceptedKeyTypes=+ssh-dss

You can then save and close the file and Centrify openssh should begin working normally using DSA keys again.