Unable to ssh without password after installing Sierra

~I haven't been able to ssh to my MacAir without using a password (with a dsa key) after installing the Sierra developer beta. Sure enough (like after other major system updates) my /etc/sshd_config file was moved to /etc/sshd_config~orig, so (as I did other times) I edited /etc/sshd_config and changed


#AuthorizedKeysFile .ssh/authorized_keys


into


AuthorizedKeysFile .ssh/authorized_keys2


This did the trick after updating to El Capitan, Yosemite, etc., but this time I keep getting a password prompt after ssh'ing into my Air. Does anybody know what else should be changed in /etc/sshd_config to allow passwordless login?


Thanks,


Artemio

Accepted Reply

The problem is that DSA keys are obsolete after OpenSSH 7.0, which the new system seems to use. I generated a new RSA key and things worked again. Also, in the process I found out that the authorized_keys2 file has been actually deprecated for a long time! So I advice everybody to use authorized_keys instead, which works both with protocols 1 and 2. That way Apple's original sshd_config will work as is.

Replies

One thing to keep in mind is that the Keychain, at least for me, is not currently happy with SSH keys being stored in them with /usr/bin/ssh-add -K. Whilst I issue the command, they never land in the Keychain, and as such, all authentication is password based until I re-add the keys to the running ssh agent.


I'm using MacPorts and the OpenSSH that comes with that for my sshd to access my Sierra running Mac, so, slightly different setup than yours.

Interesting. However, what I was talking about was ssh'ing to a Sierra machine using a public key without being asked for a password. I used to do that with all the previous systems by creating a DSA key in the local machine and copying the public key into the remote ~/.ssh/authorized_keys2 file (standard way). The only modification the sshd_config file (in the remote machine, running Sierra now) provided by Apple needs for this to work is to add "AuthorizedKeysFile .ssh/authorized_keys2" to it, so that the authorized_keys2 file is read. This used to work flawlessly with previous systems, but for some misterious reason it doesn't now. Do you have any idea what else in the config file should be changed?

The problem is that DSA keys are obsolete after OpenSSH 7.0, which the new system seems to use. I generated a new RSA key and things worked again. Also, in the process I found out that the authorized_keys2 file has been actually deprecated for a long time! So I advice everybody to use authorized_keys instead, which works both with protocols 1 and 2. That way Apple's original sshd_config will work as is.

Add the following to your .ssh/config file to re-enable support for your DSA keys

PubkeyAcceptedKeyTypes=+ssh-dss

If you're going to add dsa keys back in, then you could just use telnet... 😮

Hi Everyone,


Recently i have faced the same issue once i upgraded to MAC OS Sierra all my ssh key was not working for Cisco ASA/Firewall's but was working for switches and routers and the error which i was getting as below:


"Unable to negotiate with <IP ADDRESS> port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1"


What i did to resolve this was execute the command

Step 1 : "sudo nano /etc/ssh/ssh_config"

Step 2 : " enter you MAC password"

Step 3 : Go at the last line and add "KexAlgorithms +diffie-hellman-group1-sha1"

Step 4 : Press ctrl+Y and Press enter. Press ctrl+X

Thanks for this. Perfect.