Git SSH "permission denied" in macOS 13 Ventura (2025)

7 Answers

Reset to default

33

You need to generate a new set of keys based on a more secure hash algorithm. It is generally recommended to use ed25519 algorithm.

ssh-keygen -t ed25519 -C [emailprotected]ssh-add -A

In case you absolutely can't upgrade SSH (support added in OpenSSH 6.4) and you have to use RSA/SHA1 (e.g. the server accepts only RSA/SHA1 and you can't change that), add this snippet to the top of ~/.ssh/config on the client side (create the folder and file if it doesn't exist).

Host your-old-host.example.com HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa

It enables RSA/SHA1 both in host key and public key, should solve both this problem and related "no matching host key type found" problem.

Improve this answer

edited Dec 23, 2022 at 2:47

Capripot

11555 bronze badges

answered Oct 25, 2022 at 12:43

bumfobumfo

46911 gold badge33 silver badges55 bronze badges

6

  • 8

    This is usually the correct answer, but it doesn't exactly "enable RSA" – it enables RSA/SHA1, for outdated servers that do not support RSA/SHA256. Modern OpenSSH servers support RSA/SHA256 (and the exact same id_rsa keys can be used with both algorithms); unfortunately, if the server accepts only RSA (e.g. appliances) it's almost guaranteed to be old enough to require RSA/SHA1 specifically.

    grawity

    Commented Oct 25, 2022 at 12:52

  • 1

    This worked for me (OSX Ventura ssh to an old Ubuntu 14 box) and for clarity - I added this on the client side, and created a new file called config which didn't exist before. I didn't set any special permissions on the file.

    codemonkey

    Commented Nov 3, 2022 at 19:47

  • 3

    Please dont add this to Host *! This is terrible practice. The real solution is to upgrade the remote server to a version greater than OpenSSH 7.2. If that doesn't work, add it per host IP or in the command line command when connecting. I.E. - ssh -oPubkeyAcceptedAlgorithms=+ssh-rsa {user@host}

    Tony-Caffe

    Commented Nov 7, 2022 at 17:35

  • @Tony-Caffe I've submitted an edit to remove that dangerous advice.

    miken32

    Commented Nov 30, 2022 at 20:53

  • What is dangerous about adding a new pubkey algo to Host *? Please explain as it's only enabling the use of your ssh key on older versions. Additionally HostkeyAlgorithms is not needed at all here for the question posted and is just addressing a random issue this person had.

    michael.schuett

    Commented Apr 4, 2023 at 20:07

| Show 1 more comment

13

macOS 13 (Ventura) ships with OpenSSH_9.0p1. According to the OpenSSH release notes:

This release disables RSA signatures using the SHA-1 hash algorithmby default. This change has been made as the SHA-1 hash algorithm iscryptographically broken, and it is possible to create chosen-prefixhash collisions for <USD$50K [1]

A workaround is described in this Reddit thread: SSH in Ventura

Perhaps a better solution is to generate keys based on a more secure hash algorithm. For the time being, I'm switching to ed25519, which can be generated like this:

ssh-keygen -t ed25519 -C "comment"

Improve this answer

answered Oct 25, 2022 at 12:34

Haozhe XieHaozhe Xie

1,28922 gold badges1212 silver badges1414 bronze badges

1

  • 2

    The best solution would be to upgrade the server's SSH software if possible. Although originally SSHv2 only defined RSA to be used in combination with SHA-1, the RSA keys themselves aren't inherently tied to any specific hash algorithm and will automatically be used with SHA2-256 when both client and server support the new combination (although switching to ed25519 keys is still a good idea).

    grawity

    Commented Oct 25, 2022 at 13:01

Add a comment |

7

This solution works for me.

  1. (Backup ~/.ssh/ folder)
  2. If your ssh config and private/public keys are in /etc/ssh/ before upgrading the MacOS
  • copy ssh_config to ~/.ssh/config
  • copy all private/public keys to ~/.ssh/
  1. Adding the following lines at the end of ~/.ssh/config
HostkeyAlgorithms +ssh-rsaPubkeyAcceptedAlgorithms +ssh-rsaKexAlgorithms +diffie-hellman-group1-sha1

Improve this answer

answered Dec 7, 2022 at 21:42

Phu MaiPhu Mai

7111 bronze badge

Add a comment |

2

Please dont add this to Host *! This is terrible practice. The real solution is to upgrade the remote server to a version greater than OpenSSH 7.2. If that doesn't work, add it per host IP or in the command line command when connecting.

I.E. - ssh -oPubkeyAcceptedAlgorithms=+ssh-rsa {user@host}

You can check your client keys and see if they support SHA256 and if they do, then no new keys are needed at the moment. If it doesnt say SHA256, then toss those keys and get something stronger using ssh-keygen command.

ssh-keygen -l -f .ssh/id_rsa

Improve this answer

answered Nov 7, 2022 at 17:35

Tony-CaffeTony-Caffe

16044 bronze badges

Add a comment |

1

Add the following to your ~/.ssh/config file

HostkeyAlgorithms +ssh-rsaPubkeyAcceptedAlgorithms +ssh-rsaKexAlgorithms +diffie-hellman-group1-sha1

from https://github.com/sshnet/SSH.NET/issues/1003

Improve this answer

answered Dec 14, 2022 at 19:54

El Houcine Es-sanhajiEl Houcine Es-sanhaji

1111 bronze badge

Add a comment |

A lot of the answers are just blindly throwing up new config options that aren't needed.

To solve this issue you can run the following command.

$ ssh-keygen -l -f ~/.ssh/id_rsa3072 SHA256:/redacted /Users/myuser/.ssh/id_rsa.pub (RSA)

Then you can take a look at the supported public keys for your ssh config.

$ ssh -Q PubkeyAcceptedAlgorithmsssh-ed25519[emailprotected]ssh-rsarsa-sha2-256rsa-sha2-512ssh-dssecdsa-sha2-nistp256ecdsa-sha2-nistp384ecdsa-sha2-nistp521[emailprotected][emailprotected][emailprotected][emailprotected][emailprotected][emailprotected][emailprotected]

In most cases adding ssh-rsa will work or you can limit it to rsa-sha2-256 as well using the following. The other config people are posting is not needed in almost any case just the following line.

Host * PubkeyAcceptedAlgorithms +ssh-rsa

In the case that you are using ssh certs however you will want to run the following command on your cert.

$ ssh-keygen -L -f ~/.ssh/id_rsa-cert.pub/Users/myuser/.ssh/id_rsa-cert.pub: Type: [emailprotected] user certificate Public key: RSA-CERT SHA256:/redacted Signing CA: RSA SHA256:redacted (using rsa-sha2-256) Key ID: "something" Serial: 123 Valid: from 2023-04-04T13:19:10 to 2023-04-05T09:19:40

In this case you will need do add the Type field to the PubkeyAcceptedAlgorithms like so.

Host * PubkeyAcceptedAlgorithms [emailprotected]

Improve this answer

answered Apr 4, 2023 at 19:54

michael.schuettmichael.schuett

11133 bronze badges

2

  • See the other answer here on the dangers of adding Host *

    Randall

    Commented Jun 7, 2023 at 20:44

  • @Randall I'm sorry but that answer says nothing about the danger of adding Host * it just says "Hey I think this is dangerous. Trust me!". That is just cargo culting an answer around without an explanation. Sure it's better to specify things but like everything in tech the answer is it depends. In my most peoples case it won't matter and I am really struggling to see how it's dangerous and not just bad practice. Please enlighten me of the actual danger of this. I already know why it's bad practice.

    michael.schuett

    Commented Jun 8, 2023 at 16:53

Add a comment |

For PIV authentication

Granted, this deviates from the OP's issue with RSA keys.
I got the following error using ssh/PIV authentication after upgrading to Ventura:

Infinite reexec detected; abortingbanner exchange: Connection to UNKNOWN port 65535: Broken pipe

The fix was:

  1. Remove or comment out the PKCS11Provider line in your ~/.ssh/config
  2. Run the following commands:
    ssh-add -e /usr/lib/ssh-keychain.dylib #Note - above command may produce the error: # 'Could not remove card "/usr/lib/ssh-keychain.dylib": agent refused operation' #This can be ignored; the file simply has no items to removessh-add -Dkillall -9 ssh-agentssh-add -s /usr/lib/ssh-keychain.dylib
  3. You should now be able to ssh

Note: If ssh still fails - The killall should have cleared all cached ssh process/keys/etc. A reboot will definitely clear any cached data that may be interfering.

Improve this answer

answered Jun 7, 2023 at 21:19

RandallRandall

28411 silver badge1212 bronze badges

Add a comment |

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged

  • macos
  • ssh
  • git
  • public-key
  • macos-ventura

.

Git SSH "permission denied" in macOS 13 Ventura (2025)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Jeremiah Abshire

Last Updated:

Views: 5728

Rating: 4.3 / 5 (74 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Jeremiah Abshire

Birthday: 1993-09-14

Address: Apt. 425 92748 Jannie Centers, Port Nikitaville, VT 82110

Phone: +8096210939894

Job: Lead Healthcare Manager

Hobby: Watching movies, Watching movies, Knapping, LARPing, Coffee roasting, Lacemaking, Gaming

Introduction: My name is Jeremiah Abshire, I am a outstanding, kind, clever, hilarious, curious, hilarious, outstanding person who loves writing and wants to share my knowledge and understanding with you.