MacOS – Mavericks update broke ssh key-based authentication

authenticationmacosssh

I regularly ssh to one of my OS X boxes. I have configured ssh key-based authentication i.e. added my client-end ~/.ssh/id_rsa.pub to server-end ~/.ssh/authorized_keys2 with restricted enough permissions. This setup has worked fine for years over multiple OS X versions.

However, upgrading to OS X 10.9 Mavericks broke this setup. ssh login prompts for password. Logging in with password works but I want passwordless key-based authentication.

(I know the solution to this now. Documenting it here in case it helps others.)

Best Answer

Turns out it was about the key file name.

authorized_keys2 was the correct one to use for SSH2 keys a loooong time ago when I first configured the key-based authentication. For years, authorized_keys2 file was deprecated but still working. In Mavericks version of opensshd the support has been dropped.

This can be fixed with a simple rename:

cd ~/.ssh; mv authorized_keys2 authorized_keys

Related Solutions

MacOS – ECDSA ssh key on 10.8.2

The manpage describes the ability to generate ECC keys because the version of OpenSSH 5.9p1 (the version that comes with Mountain Lion) can potentially support ECC. However, the actual build of OpenSSH that came bundled with Mountain Lion appears to lack ECC support¹. The manpages are not modified when ECC support is not included in the compiled binaries.

If you want or need ECC support, you could use MacPorts (or probably Homebrew) to install a build of OpenSSH that does support ECC. You might run into some incompatibilities though:

the bundled ssh-agent (started automatically by launchd) will not be able to handle any ECC keys (you would have to start your own instance of the “custom”-built agent, or type your password each time you use an ECC key with the “custom”-built ssh), and
the “custom”-built tools will not have Apple’s patched-in Keychain integration.

¹ OpenSSH’s configure script does some checks to make sure that the available OpenSSL library is new enough and includes various bits of ECC functionality; the bundled version of OpenSSL seems to satisfy these requirements. I am not sure why the bundled version of OpenSSH was built without ECC support.

MacOS – Cannot unlock password protected SSH key in OS X Mavericks

Apparently, the private key I was using on my machine was an old one. My key did not contain the encryption information added to the private key file if I generate a new one:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-...

To solve the problem, I decrypted the key with openssl:

$ cd ~/.ssh
$ cp id_rsa id_rsa.bck
$ openssl rsa -in id_rsa -out id_rsa

...and then re-encrypted it:

$ openssl rsa -in id_rsa -aes256 -out id_rsa
$ chmod 0600 id_rsa

And just in case, regenerate the public key as well:

$ ssh-keygen -y -f id_rsa > id_rsa.pub

Best Answer

Related Solutions

MacOS – ECDSA ssh key on 10.8.2

MacOS – Cannot unlock password protected SSH key in OS X Mavericks

Related Question