If like me you own very old ssh keys, chances are that are a weak dsa ones.
Unfortunately for us lazy admins, the latest release of MacOS seems to be compliant with the latest openssh policies.

OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.

We should say finally compliant, since Sierra is getting on a train that left very long ago (see this link i.e.).

identify the problem

This is how you can check it out if you have weak keys

  • identify all your public keys in ~/.ssh
  • for each one of them execute the following command (with the right file name...): ssh-keygen -l -f ~/.ssh/id_dsa.pub
  • if the output is something like 1024 SHA256 you can't connect to your beloved ssh servers anymore after the upgrade.

don't panic

If you have already upgraded to MacOS Sierra, don't panic: this is only the default behavior.
Edit the file ~/.ssh/config, or create it if doesn't exist, and add the following line:

PubkeyAcceptedKeyTypes ssh-dss

and you are back in business again!

don't be lazy

Now that you have gained access again to your beloved ssh server, please do not stop!

  • generate a new rsa key with a brand new passphrase.
ssh-keygen -t rsa
sudo chmod 600 ~/.ssh/id_rsa
  • edit on your ssh server ~/.ssh/authorized_keys and replace the old ssh public key with the new one found on your ~/.ssh/id_rsa.pub
  • remove from your local ~/.ssh/config file the line
PubkeyAcceptedKeyTypes ssh-dss
  • say farewell to all your weak keys
rm ~/.ssh/id_dsa*


front image by smilla4