# Urgent: no ssh possible since net-misc/openssh-7.1_p1-r2

## UncleVan

Hello everybody ,

After recent update 

```
net-misc/openssh-6.9_p1-r2 ->  net-misc/openssh-7.1_p1-r2
```

I can not login with ssh anymore (I'm using two identical machines Thinkpad Edge 11). In the /var/log/messages there is following: 

```
Jul 15 22:44:11 thinkkiste sshd[31065]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.50  user=root

Jul 15 22:44:14 thinkkiste sshd[31061]: error: PAM: Authentication failure for root from 192.168.0.50
```

After recherche I'm pretty sure there is something with the keys-pairs ssh uses, but I'm completely ignorant of how to solve this. 

For now I reverted to 6.9 again and it works OK, but I highly appreciate any suggestion/help/info to solve this issue ASAP .

Thanks in advance !

----------

## NeddySeagoon

UncleVan,

net-misc/openssh-7.x depreciates one sort of key as its no longer considered secure.

You can enable if if you want but it will go away one day.

See the news item  2015-08-13  OpenSSH 7.0 disables ssh-dss keys by default

Password logins for root are also disabled by default.

```
#PermitRootLogin prohibit-password
```

Allowing root password logins via ssh has always been insecure.

Set up sudo.  Log in as normal user and use 

```
sudo su -
```

 to become root.

----------

## UncleVan

Thank you for th quick response !

So far its fine but: How am I supposed to set up "new" keys for use ? 

It is a local segment only - apart from internet - so login as root would not be an issue... BTW that was literally the same statement forcing me to not use telnet anymore  :Wink: Last edited by UncleVan on Fri Nov 06, 2015 11:58 pm; edited 1 time in total

----------

## Tony0945

Had the same problem with root login. I did NOT change the conf file. Kept rejecting the password. I could log in as "guest" and su with the password but log in directly. I only ssh for admin work like emerge's and kernel builds, so that's a PITA. 

I wound up blocking 7.0 and above like you.Last edited by Tony0945 on Sat Nov 07, 2015 1:26 am; edited 1 time in total

----------

## Ant P.

New keys:

```
ssh-keygen -t ed25519

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@$remote
```

If you've restarted sshd on the remote side recently, it'll already have an ed25519 server key.

----------

## UncleVan

Thank you guys,

I'll try to set up ssh 7 for root logins and report the results.

----------

## Moriah

Forcing this on people who have a bunch of machines to administer without even a "news readme" notice at the time the force is made is presumptuous to the point of arragonce!    :Evil or Very Mad: 

I started a bunch of weekly updates last night and went to bed while they ran.  I woke up this morning to chaos!  I have many automation scripts that log in from one machine to another to perform various operations, not the least of which is nightly backups.  Everything is broken!  I kept all the old sshd config files, so why did everything change?  Because some nanny of a developer decided that they knew bettter than I what was good for my network!    :Evil or Very Mad: 

Only 2 of these machines is internet facing, yet all of them have been affected by this gentoo induced denial of service attack!   :Evil or Very Mad:   :Evil or Very Mad:   :Evil or Very Mad:   :Evil or Very Mad:   :Evil or Very Mad:   :Evil or Very Mad:   :Evil or Very Mad: 

I was going to clean the fallen leaves out of the yard today, but know I have a broken network to fix instead.

(Maybe that's a good thing?)    :Shocked: 

----------

## UncleVan

OK, pretty trivial (shame on me .....): Just add/change in /etc/ssh/sshd_config

```
....

# Authentication:

...

PermitRootLogin yes

...

```

 and everything is working again.

No need to generate new keys, because I type the password from the keyboard - in a local wired segment it is not an issue.

----------

## krinn

 *Moriah wrote:*   

> Forcing this on people who have a bunch of machines to administer without even a "news readme" notice at the time the force is made is presumptuous to the point of arragonce!    

 

https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html

 *Moriah wrote:*   

> affected by this gentoo induced denial of service attack!

 

 *the famous non existing news wrote:*   

> Be aware though that eventually OpenSSH will drop support for DSA keys
> 
> entirely, so this is only a stop gap solution.
> 
> More details can be found on OpenSSH's website:
> ...

 

Mean, it's a step from openssh.

so:

For missing news: 0 points

For missing target: 0 points

Rant score is 0, sorry Moriah, better luck next time  :Smile: 

----------

## Moriah

Pleaase note the phrase at the time the force .

I did not say therre was not a news item on it; I said there ought to be a "re-reminder" at the time it was actually happening.

----------

## ct85711

that's the thing, there was a reminder...  we can't force you to read it

----------

## Moriah

That was my complaint: the reminder ws 2 months before the occurrance.  I read it, but after 2 months, it would have been nice to announce that it was going into effect today.

----------

## Moriah

Anyway, I am taking advantage of this inconvenient event to clear out all my stuff in my .ssh/ directories and regenerate it to the new standards.  One thing I *will* keep is root login via password.  I have some utility machines that have no other user besides root.  I am the only administrator.  I only administrate these machines because there is no one else to do it, and I need them to do myincome producing work.  As I said, there are only 2 of them that are internet facing; the rest are on a well protected ethernet segment behind multiple natting firewalls.  From time to time, they all need to be administered remotely, possibly from machines that have never logged into those machines before.  Therefore, I need to allow root login via password on ssh.

Also, I a, *not* clearing the fallen leaves out of the yard today!    :Very Happy:   :Wink: 

----------

## NeddySeagoon

Moriah,

 *Quote:*   

> Therefore, I need to allow root login via password on ssh.

 

That's one solution.  There are others, such as key based log in as root.

You could even create a normal user that you subsequently user to gain root.

----------

## Moriah

Neddy:

I also have to run a lot of scripts that login as root.  Finding and changing them all would be a major pain tht I just do not have time for right now.

----------

## The LT

 *Moriah wrote:*   

> Forcing this on people who have a bunch of machines to administer without even a "news readme" notice at the time the force is made is presumptuous to the point of arragonce!    

 

Not reading upstream changelogs before updating cricical system packages is outright ignorant. Before you accuse the maintainers, make sure you even follow the established best practices and guidelines.

 *Quote:*   

> 
> 
> I started a bunch of weekly updates last night and went to bed while they ran.  I woke up this morning to chaos!  I have many automation scripts that log in from one machine to another to perform various operations, not the least of which is nightly backups.  Everything is broken!  I kept all the old sshd config files, so why did everything change? Because some nanny of a developer decided that they knew bettter than I what was good for my network!    

 

No, because an ignorant user like you who thinks they know better never noticed that sshd_config is COMMENTED by default and the devs changed the defaults. Should you have bothered to CONFIGURE sshd, you wouldn't run into this.

 *Quote:*   

> 
> 
> Only 2 of these machines is internet facing, yet all of them have been affected by this gentoo induced denial of service attack!        
> 
> 

 

This is irrelevant to the problem. The developers don't tailor the package for you and your two "internet-facing" machines.

 *Quote:*   

> 
> 
> I was going to clean the fallen leaves out of the yard today, but know I have a broken network to fix instead.
> 
> 

 

I would start with fixing your practices and update habits.

 *Quote:*   

> 
> 
> (Maybe that's a good thing?)   
> 
> 

 

Definately. At least you'll learn to read through the configuration files more carefully and not login as root. And also, it might prompt you to ditch dsa if you ever used it.

----------

## ct85711

iirc, the login with root has been defaulted to commented out for several years to begin with, so that change isn't anything new.  Now if upstream is starting to phase out that option all together, I couldn't say.  I can see arguments for both sides, and I admit I used the login with root before.  Though that is only when I am setting up a new machine, once the machine is up, I leave it turned off and just login with a regular user, then su into root.

----------

## Tony0945

 *ct85711 wrote:*   

> Though that is only when I am setting up a new machine, once the machine is up, I leave it turned off and just login with a regular user, then su into root.

 

An extra, unnecessary step.

----------

## UberLord

 *Moriah wrote:*   

> Neddy:
> 
> I also have to run a lot of scripts that login as root.  Finding and changing them all would be a major pain tht I just do not have time for right now.

 

So go the root key login approach.

I do this on my OpenWRT boxes I own on my local network.

----------

## Moriah

Neddy helped me solve this problem thru a series of private messages.  Thanks, Neddy!

----------

