savannah-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-users] SSH not working: upgraded?

From: Bob Proulx
Subject: Re: [Savannah-users] SSH not working: upgraded?
Date: Thu, 20 Jun 2019 17:14:22 -0600
User-agent: Mutt/1.10.1 (2018-07-13) 
Hello Kaz,

Kaz Kylheku wrote:
> SSH access to update web pages suddenly stopped working.

Oh no!  And just when I thought everything was going so well too.
Thank you very much for reporting that you are seeing problems.

The CVS server for web pages has been upgraded as of yesterday.  Just
by way of being able to talk about it the system name is vcs1.  I have
been testing access and this works for me.  I also had reports from
other users soon after the upgrade and they reported it was working
okay for them too.  So things are not completely dead. :-)

Can you give some more details about what is not working?  Run ssh
with the -v option.  If you get the diagnostic shown here:

  ssh cvs.savannah.gnu.org
  ...
  You tried to execute: 
  Sorry, you are not allowed to execute that command.

That means it is working for you.  Security restricts what commands
can be run and login attempts will be denied.  But the attempt is a
good way to debug.  If the above is seen then things are working.

If not then run with the -v option to show more details about the
connection.

  ssh -v cvs.savannah.gnu.org

Save that text off and mail it to savannah-hackers-private AT gnu.org
where we will be able to diagnose the problem.  I suggest the
"private" list since there may be both security and perhaps privacy
implications.

> Has SSH been upgraded on Savannah, and doesn't want to accept DSA2 or RSA
> keys any more?

Keys have always been required to be RSA keys.  DSA keys may have
worked at one time but have always been cautioned against using.

> I tried registering an ECDSA key just now,

Until recently the Savannah systems were too old to support ECDSA but
I am very happy to say that with the upgrades that are happening I
think they might be okay to use now.  *HOWEVER* I haven't had any
testing for ECDSA in the test matrix.  So I don't know.  I'll give
that a run through and see if that will be a supportable option now.
Definitely if you clear your host key and ssh receives it again the
ssh client default now is to store the ECDSA host key instead of the
RSA host key.

Note that there are now three systems that use ssh keys and they are
not all at the same ssh version level.  All are under security support
however.  But due to life and time keeping everything from happening
all at once.

> but it seems I'm banned from connecting now.

If someone fails ssh more than six times in one minute then they are
banned for ten minutes.  That prevents a lot of log noise and cpu
usage from abuse from the Internet.  Wait ten minutes and the ban will
be reset and you will be able to log in again.

Bob
reply via email to
[Prev in Thread] Current Thread [Next in Thread]