2

For testing purposes, I would like to enable DSA authentication on my server (let's name it A). If I remove all the key pairs located under /etc/ssh, both RSA and DSA key pairs are generated on sshd restart.

The consequence is that, if I try to open a SSH connection from a server B to this server A, the following message is displayed :

The authenticity of host '...' can't be established.
RSA key fingerprint is ...
Are you sure you want to continue connecting (yes/no)?

Do you know a way to disable the RSA authentication so that my server B uses the DSA to authentify on server A ?

dounyy
  • 125
  • 1
  • 6
  • What versions of ssh client and ssh server are you using? – Alex Holst Nov 04 '15 at 11:33
  • @AlexHolst Both servers use `OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010` with protocol SSH 2. – dounyy Nov 04 '15 at 13:35
  • Are you quite sure you want to use DSA? The rest of the world has largely abandoned it, and for good reasons. – Michael Hampton Nov 04 '15 at 17:39
  • @MichaelHampton I know. As I said, this is for testing purposes. I manage a Java application which connects interactively to remote network equipments. Most of those use RSA, but unfortunately we have figured out that a few of them still use DSA. Thus, for having my application be compatible with those equipments, I have to use DSA on one of my test equipments so that I can test my modifications. – dounyy Nov 05 '15 at 10:55

1 Answers1

1

If I remove all the key pairs located under /etc/ssh, both RSA and DSA key pairs are generated on sshd restart.

If you are using CentOS/RHEL/Fedora, we generate missing keys automatically, based on the content of file /etc/sysconfig/sshd, where you should define, if you don't want to generate some of the keys.

Do you know a way to disable the RSA authentication so that my server B uses the DSA to authentify on server A ?

If you want your server to use only DSA keys, you should change your /etc/ssh/sshd_config and add HostKey /etc/ssh/ssh_host_dsa_key (and remove the lines specifying the other keys if you have such).

dounyy
  • 125
  • 1
  • 6
Jakuje
  • 9,145
  • 2
  • 40
  • 44
  • Perfect. I used `ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key` to generate the DSA key manually and now it works as expected. Thank you. – dounyy Nov 04 '15 at 14:22