macOS Sierra and SSH - Have your SSH keys stopped working?

So once I upgraded to macOS Sierra, I found that I could no longer use passwordless SSH login to some of the hosts that I always could. After a bit of Googling, it turns out that Apple have upgraded OpenSSH to version 7.2p2, which disables support for DSA (ssh-dss) keys. While you can create ssh keys in a range of formats, if you’ve been using them for quite some time (like me), you might still have an old DSA key hanging around that you use for one or more particular servers.

While these keys are not as secure as modern key types (ecdsa, ed25519, or rsa), if you can’t log into a server to replace the key, you’re kind of stuck. Fortunately, there’s a way:

  1. Edit ~/.ssh/config in your favourite editor - (create it if it doesn’t exist)
  2. Add the following line:
    PubkeyAcceptedKeyTypes=+ssh-dss
  3. Generate a new key using ssh-keygen -t rsa
  4. Add the new key to each server that you need to (ideally via Ansible/Salt/whatever), but to do it in one line, you can run (replacing USER and SERVER):
    cat ~/.ssh/id_rsa.pub | ssh USER@SERVER ‘cat >> .ssh/authorized_keys’
  5. After you’re done adding your new key everywhere, comment out the line you added to ~/.ssh/config, as DSA keys will become completely disabled in a future version of OpenSSH.

For more information, see here: https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html.

Comments