SSH DSA keys no longer work for password-less authentication

After upgrading to Fedora 23, passwordless (public-key-based) authentication no longer works in SSH: when trying to SSH to some host, it prompts for my password at the remote host. I can't get it to use my SSH private key. Everything worked fine with Fedora 22.

My public key is a DSA key (~/.ssh/id_dsa.pub). I'm using OpenSSH 7.1 (openssh-7.1p1-5.fc23.x86_64).

How do I get password-less authentication to work correctly again?

Solution 1:

This is a result of upgrading to OpenSSH 7.0. As the release notes for OpenSSH 7.0 say, "Support for ssh-dss host and user keys is disabled by default at run-time".

The solution is to add the following line to ~/.ssh/config on every client machine (every machine where you run the SSH client):

PubkeyAcceptedKeyTypes=+ssh-dss

If the server is using OpenSSH 7.0 or newer, you'll also need to add this line to /etc/ssh/sshd_config on each server machine.

Alternatively, you can generate an entirely new SSH key and add it to your authorized_keys file on every server you ever want to log into. I recommend you use RSA, to avoid compatibility woes. I don't recommend ECDSA, as apparently gnome-keyring-daemon doesn't automatically pick up SSH keys of type ECDSA.

Editorial remark: Why did the OpenSSH folks disable DSA keys? I don't know. As far as I'm able to ascertain, there's nothing wrong with the security of DSA keys (ssh-dss). The OpenSSH web page claims that ssh-dss is weak, but as far as I'm aware, 1024-bit ssh-dss is no weaker than 1024-bit RSA, and 1024-bit RSA keys are not disabled.