Follow

How To: Enable deprecated use of DSA keys

Info:

When having Venafi connect older Linux systems we may see an error indicating connection failures:

Failed to conect to the host

This issue may be caused by the target system running SSHD with ssh-dss keys. The Device logs in Venafi would show something similar to this:

The SSH library failed to connect to ********* on port 22, with the Connection Result 9: Failed to negotiate a transport component [ecdsa-sha2-nistp384] [ssh-dss].

While not recommended, we can enable the use of DSA keys while provisioning.

 

More Info:

To enable ssh-dss, create a string key: "EnableSSHDSS" and set the value to "1" under the "HKLM\Software\Venafi\Platform" node:

 

This would need to be added on all Venafi servers iniotilalizing the SSH connection and it will require a restart of the Venafi Trust Protection Platform service to take effect.

 

The answer at https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys/112818 provides a good background on why DSA is deprecated.

Please consider switching your servers to newer, secure, key algorithms.

Was this article helpful?
0 out of 0 found this helpful

Comments