Technical Staff Blog

Last update on .

Common SSH Issues/Fixes

ssh.png

On August 24th, the ssh.cs.brown.edu gateway servers were upgraded to stretch and bound to the CIS OIM domain, ad.brown.edu.  The sunlab and mlab ssh client systems were also upgrade on that day and bound to ad.brown.edu.  As of version 7.0, the openssh server has disabled support for ssh-dss, ssh-dss-cert keys.  You can read more about it in the OpenSSH 7.0 release note below:

https://www.openssh.com/txt/release-7.0

If you are using a dsa ssh key, you must create a new rsa in order to use the ssh.cs.brown.edu gateway.  See the CS SSH page below:

https://cs.brown.edu/about/system/connecting/ssh/

The ssh gateways and ssh linux clients are bound to CIS OIM, ad.brown.edu, realm.  In order to ssh through the ssh gateway,  all users must use your Brown Account as of August 24th, 2017.  There are some users who have a username mismatch between the CS realm and the ad.brown.edu realm.  Those users have been contacted by tstaff through email for remediation.  

In general, there are three basic reasons why you might be having trouble SSHing to the department. Old ssh keys need to be removed from authorized_keys (DSA keys are no longer allowed). Permissions are too open, on either the server or the client side (Home, .ssh, id_rsa, authorized_keys) Connecting using the wrong account (As of 8/2017 SSH uses your Brown Account). The permissions is the most tricky, since it doesn't actually tell you there's an issue.  The client or the server just denies the connection.  You can add -vvv to the ssh command to get a better idea of what happened, though.

Here's how I set my permissions to get things working for me:

chmod 751 /home/<username>
chmod 700 .ssh
chmod 600 authorized_keys

If the permissions are right, adding a new key doesn't work and you're using your Brown account to connect to ssh.cs.brown.edu, then you can try your old CS login (if you had one that is different from your Brown Account) with the old SSH gateway.

ssh <old CS Login Name>@oldssh.cs.brown.edu

Just keep in mind that the old gateway is a temporary service that will likely be shutdown before the end of the 2017 Fall semester.