In the old FreeBSD.org cluster, we had a nfs shared /etc/ssh-keys/$you file that you could read/write. The NFS share is gone and the keys are stored in our LDAP server instead.
How does one update them?
- ssh keymaster.freebsd.org and follow the instructions
- This allows you to do most simple updates yourself.
- complex cases (eg: custom from= restrictions) will not work, see alternatives below.
- wait 10 minutes for updates to propagate from ldap to sshd.
- Use ssh keycheck.freebsd.org to confirm that you are not depending on legacy protocols or legacy keys.
- Send an email message to accounts@ that:
is signed with the private key corresponding to the public key in the Handbook;
- has your new key(s) attached;
- clearly states your intent (e.g., whether this is a complete key replacement, a partial one, or an addition);
- contains a hash (sha256 or md5) of each key that you intended to send.
- Fallback: Put your new keys in a file (eg: ~/new-ssh-keys) on freefall, then send a message to accounts@ (as above, but without the attached key(s).
- In desperation: Do the same sort of routine that new committers do: identify a committer who is willing to send the keys, and who is willing to vouch that the keys do actually correspond to you.
- Please be clear - if you want an additional key added, rather than deleting your old ones, be sure to say so.
The ssh-dss key support is disabled by default on newer openssh (and FreeBSD) in both the client and the server
- To log in with a modern client you will need to enable dsa keys before it will even try.
- .. even if you specify a dsa key with -i explicitly. It just won't even try it.
To enable ssh-dss/DSA keys on the client: ssh -oHostKeyAlgorithms=+ssh-dss user@host
use ssh -v to debug your connection attempts before calling for help.