it's cold and dark outside your beloved ssh servers after MacOS Sierra upgrade
If like me you own very old ssh keys, chances are that are a weak dsa ones.
Unfortunately for us lazy admins, the latest release of MacOS seems to be compliant with the latest openssh policies.
OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.
We should say finally compliant, since Sierra is getting on a train that left very long ago (see this link i.e.).
identify the problem
This is how you can check it out if you have weak keys
- identify all your public keys in
~/.ssh - for each one of them execute the following command (with the right file name...):
ssh-keygen -l -f ~/.ssh/id_dsa.pub - if the output is something like
1024 SHA256you can't connect to your beloved ssh servers anymore after the upgrade.
don't panic
If you have already upgraded to MacOS Sierra, don't panic: this is only the default behavior.
Edit the file ~/.ssh/config, or create it if doesn't exist, and add the following line:
PubkeyAcceptedKeyTypes ssh-dss
and you are back in business again!
don't be lazy
Now that you have gained access again to your beloved ssh server, please do not stop!
- generate a new rsa key with a brand new passphrase.
ssh-keygen -t rsa
sudo chmod 600 ~/.ssh/id_rsa
- edit on your ssh server
~/.ssh/authorized_keysand replace the old ssh public key with the new one found on your~/.ssh/id_rsa.pub - remove from your local
~/.ssh/configfile the line
PubkeyAcceptedKeyTypes ssh-dss
- say farewell to all your weak keys
rm ~/.ssh/id_dsa*
notes
front image by smilla4
