If like me you own very old ssh keys, chances are that are a weak dsa ones.
Unfortunately for us lazy admins, the latest release of MacOS seems to be compliant with the
latest openssh policies.
OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.
We should say finally compliant, since Sierra is getting on a train that left very long ago (see this link i.e.).
Identify the problem
This is how you can check it out if you have weak keys
- identify all your public keys in
- for each one of them execute the following command (with the right file name...):
ssh-keygen -l -f ~/.ssh/id_dsa.pub
- if the output is something like
1024 SHA256you can't connect to your beloved ssh servers anymore after the upgrade.
If you have already upgraded to MacOS Sierra, don't panic: this is only the default behavior.
Edit the file
~/.ssh/config, or create it if doesn't exist, and add the following line:
and you are back in business again!
Don't be lazy
Now that you have gained access again to your beloved ssh server, please do not stop!
- generate a new rsa key with a brand new passphrase.
ssh-keygen -t rsa sudo chmod 600 ~/.ssh/id_rsa
- edit on your ssh server
~/.ssh/authorized_keysand replace the old ssh public key with the new one found on your
- remove from your local
~/.ssh/configfile the line
- say farewell to all your weak keys