7 Answers
Reset to default
33
You need to generate a new set of keys based on a more secure hash algorithm. It is generally recommended to use ed25519
algorithm.
ssh-keygen -t ed25519 -C [emailprotected]ssh-add -A
In case you absolutely can't upgrade SSH (support added in OpenSSH 6.4) and you have to use RSA/SHA1 (e.g. the server accepts only RSA/SHA1 and you can't change that), add this snippet to the top of ~/.ssh/config
on the client side (create the folder and file if it doesn't exist).
Host your-old-host.example.com HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa
It enables RSA/SHA1 both in host key and public key, should solve both this problem and related "no matching host key type found" problem.
Improve this answer
edited Dec 23, 2022 at 2:47
Capripot
11555 bronze badges
answered Oct 25, 2022 at 12:43
bumfobumfo
46911 gold badge33 silver badges55 bronze badges
6
-
8
This is usually the correct answer, but it doesn't exactly "enable RSA" – it enables RSA/SHA1, for outdated servers that do not support RSA/SHA256. Modern OpenSSH servers support RSA/SHA256 (and the exact same id_rsa keys can be used with both algorithms); unfortunately, if the server accepts only RSA (e.g. appliances) it's almost guaranteed to be old enough to require RSA/SHA1 specifically.
–grawity
Commented Oct 25, 2022 at 12:52
-
1
This worked for me (OSX Ventura ssh to an old Ubuntu 14 box) and for clarity - I added this on the client side, and created a new file called config which didn't exist before. I didn't set any special permissions on the file.
–codemonkey
Commented Nov 3, 2022 at 19:47
-
3
Please dont add this to
Host *
! This is terrible practice. The real solution is to upgrade the remote server to a version greater than OpenSSH 7.2. If that doesn't work, add it per host IP or in the command line command when connecting. I.E. -ssh -oPubkeyAcceptedAlgorithms=+ssh-rsa {user@host}
–Tony-Caffe
Commented Nov 7, 2022 at 17:35
-
@Tony-Caffe I've submitted an edit to remove that dangerous advice.
–miken32
Commented Nov 30, 2022 at 20:53
-
What is dangerous about adding a new pubkey algo to Host *? Please explain as it's only enabling the use of your ssh key on older versions. Additionally HostkeyAlgorithms is not needed at all here for the question posted and is just addressing a random issue this person had.
–michael.schuett
Commented Apr 4, 2023 at 20:07
| Show 1 more comment
13
macOS 13 (Ventura) ships with OpenSSH_9.0p1. According to the OpenSSH release notes:
This release disables RSA signatures using the SHA-1 hash algorithmby default. This change has been made as the SHA-1 hash algorithm iscryptographically broken, and it is possible to create chosen-prefixhash collisions for <USD$50K [1]
A workaround is described in this Reddit thread: SSH in Ventura
Perhaps a better solution is to generate keys based on a more secure hash algorithm. For the time being, I'm switching to ed25519, which can be generated like this:
ssh-keygen -t ed25519 -C "comment"
Improve this answer
answered Oct 25, 2022 at 12:34
Haozhe XieHaozhe Xie
1,28922 gold badges1212 silver badges1414 bronze badges
1
-
2
The best solution would be to upgrade the server's SSH software if possible. Although originally SSHv2 only defined RSA to be used in combination with SHA-1, the RSA keys themselves aren't inherently tied to any specific hash algorithm and will automatically be used with SHA2-256 when both client and server support the new combination (although switching to ed25519 keys is still a good idea).
–grawity
Commented Oct 25, 2022 at 13:01
Add a comment |
7
This solution works for me.
- (Backup ~/.ssh/ folder)
- If your ssh config and private/public keys are in /etc/ssh/ before upgrading the MacOS
- copy ssh_config to ~/.ssh/config
- copy all private/public keys to ~/.ssh/
- Adding the following lines at the end of ~/.ssh/config
HostkeyAlgorithms +ssh-rsaPubkeyAcceptedAlgorithms +ssh-rsaKexAlgorithms +diffie-hellman-group1-sha1
Improve this answer
answered Dec 7, 2022 at 21:42
Phu MaiPhu Mai
7111 bronze badge
Add a comment |
2
Please dont add this to Host *
! This is terrible practice. The real solution is to upgrade the remote server to a version greater than OpenSSH 7.2. If that doesn't work, add it per host IP or in the command line command when connecting.
I.E. - ssh -oPubkeyAcceptedAlgorithms=+ssh-rsa {user@host}
You can check your client keys and see if they support SHA256 and if they do, then no new keys are needed at the moment. If it doesnt say SHA256, then toss those keys and get something stronger using ssh-keygen
command.
ssh-keygen -l -f .ssh/id_rsa
Improve this answer
answered Nov 7, 2022 at 17:35
Tony-CaffeTony-Caffe
16044 bronze badges
Add a comment |
1
Add the following to your ~/.ssh/config
file
HostkeyAlgorithms +ssh-rsaPubkeyAcceptedAlgorithms +ssh-rsaKexAlgorithms +diffie-hellman-group1-sha1
Improve this answer
answered Dec 14, 2022 at 19:54
El Houcine Es-sanhajiEl Houcine Es-sanhaji
1111 bronze badge
Add a comment |
A lot of the answers are just blindly throwing up new config options that aren't needed.
To solve this issue you can run the following command.
$ ssh-keygen -l -f ~/.ssh/id_rsa3072 SHA256:/redacted /Users/myuser/.ssh/id_rsa.pub (RSA)
Then you can take a look at the supported public keys for your ssh config.
$ ssh -Q PubkeyAcceptedAlgorithmsssh-ed25519[emailprotected]ssh-rsarsa-sha2-256rsa-sha2-512ssh-dssecdsa-sha2-nistp256ecdsa-sha2-nistp384ecdsa-sha2-nistp521[emailprotected][emailprotected][emailprotected][emailprotected][emailprotected][emailprotected][emailprotected]
In most cases adding ssh-rsa will work or you can limit it to rsa-sha2-256 as well using the following. The other config people are posting is not needed in almost any case just the following line.
Host * PubkeyAcceptedAlgorithms +ssh-rsa
In the case that you are using ssh certs however you will want to run the following command on your cert.
$ ssh-keygen -L -f ~/.ssh/id_rsa-cert.pub/Users/myuser/.ssh/id_rsa-cert.pub: Type: [emailprotected] user certificate Public key: RSA-CERT SHA256:/redacted Signing CA: RSA SHA256:redacted (using rsa-sha2-256) Key ID: "something" Serial: 123 Valid: from 2023-04-04T13:19:10 to 2023-04-05T09:19:40
In this case you will need do add the Type field to the PubkeyAcceptedAlgorithms like so.
Host * PubkeyAcceptedAlgorithms [emailprotected]
Improve this answer
answered Apr 4, 2023 at 19:54
michael.schuettmichael.schuett
11133 bronze badges
2
-
See the other answer here on the dangers of adding
Host *
–Randall
Commented Jun 7, 2023 at 20:44
-
@Randall I'm sorry but that answer says nothing about the danger of adding Host * it just says "Hey I think this is dangerous. Trust me!". That is just cargo culting an answer around without an explanation. Sure it's better to specify things but like everything in tech the answer is it depends. In my most peoples case it won't matter and I am really struggling to see how it's dangerous and not just bad practice. Please enlighten me of the actual danger of this. I already know why it's bad practice.
–michael.schuett
Commented Jun 8, 2023 at 16:53
Add a comment |
For PIV authentication
Granted, this deviates from the OP's issue with RSA keys.
I got the following error using ssh/PIV authentication after upgrading to Ventura:
Infinite reexec detected; abortingbanner exchange: Connection to UNKNOWN port 65535: Broken pipe
The fix was:
- Remove or comment out the
PKCS11Provider
line in your~/.ssh/config
- Run the following commands:
ssh-add -e /usr/lib/ssh-keychain.dylib #Note - above command may produce the error: # 'Could not remove card "/usr/lib/ssh-keychain.dylib": agent refused operation' #This can be ignored; the file simply has no items to removessh-add -Dkillall -9 ssh-agentssh-add -s /usr/lib/ssh-keychain.dylib
- You should now be able to ssh
Note: If ssh still fails - The killall
should have cleared all cached ssh process/keys/etc. A reboot will definitely clear any cached data that may be interfering.
Improve this answer
answered Jun 7, 2023 at 21:19
RandallRandall
28411 silver badge1212 bronze badges
Add a comment |
You must log in to answer this question.
Not the answer you're looking for? Browse other questions tagged
- macos
- ssh
- git
- public-key
- macos-ventura
.
Not the answer you're looking for? Browse other questions tagged
- macos
- ssh
- git
- public-key
- macos-ventura
.