Ssh – How to use DSA key pairs instead of RSA

dsarsassh

For testing purposes, I would like to enable DSA authentication on my server (let's name it A).
If I remove all the key pairs located under /etc/ssh, both RSA and DSA key pairs are generated on sshd restart.

The consequence is that, if I try to open a SSH connection from a server B to this server A, the following message is displayed :

The authenticity of host '...' can't be established.
RSA key fingerprint is ...
Are you sure you want to continue connecting (yes/no)?

Do you know a way to disable the RSA authentication so that my server B uses the DSA to authentify on server A ?

Best Answer

If I remove all the key pairs located under /etc/ssh, both RSA and DSA key pairs are generated on sshd restart.

If you are using CentOS/RHEL/Fedora, we generate missing keys automatically, based on the content of file /etc/sysconfig/sshd, where you should define, if you don't want to generate some of the keys.

Do you know a way to disable the RSA authentication so that my server B uses the DSA to authentify on server A ?

If you want your server to use only DSA keys, you should change your /etc/ssh/sshd_config and add HostKey /etc/ssh/ssh_host_dsa_key (and remove the lines specifying the other keys if you have such).

Related Solutions

Ssh – How to remove strict RSA key checking in SSH and what’s the problem here

Please don't delete the entire known_hosts file as recommended by some people, this totally voids the point of the warning. It's a security feature to warn you that a man in the middle attack may have happened.

I suggest you identify why it thinks something has changed, most likely an SSH upgrade altered the encryption keys due to a possible security hole. You can then purge that specific line from your known_hosts file:

sed -i 377d ~/.ssh/known_hosts

This deletes line 377 as shown after the colon in the warning:

/home/emerson/.ssh/known_hosts:377

Alternatively you can remove the relevant key by doing the following

ssh-keygen -R 127.0.0.1 (obviously replace with the server's IP)

Please DO NOT purge the entire file and ensure this is actually the machine you want to be connecting to prior to purging the specific key.

Windows – How to tell Git for Windows where to find the private RSA key

For Git Bash

If you are running msysgit (I am assuming you are) and are looking to run Git Bash (I recommend it over TortoiseGit, but I lean to the CLI more than GUI now), you need to figure out what your home directory is for Git Bash by starting it then type pwd (On Windows 7, it will be something like C:\Users\phsr I think). While you're in Git Bash, you should mkdir .ssh.

After you have the home directory, and a .ssh folder under that, you want to open PuTTYgen and open the key (.ppk file) you have previously created. Once your key is open, you want to select Conversions -> Export OpenSSH key and save it to HOME\.ssh\id_rsa. After you have the key at that location, Git Bash will recognize the key and use it.

Note: Comments indicate that this doesn't work in all cases. You may need to copy the OpenSSH key to Program Files\Git\.ssh\id_rsa (or Program Files (x86)\Git\.ssh\id_rsa).

For TortoiseGit

When using TortoiseGit, you need to set the SSH key via pacey's directions. You need to do that for every repository you are using TortoiseGit with.