MacOS – SSH no longer works after update to 10.12.4

macosssh

I've been successfully using the following script to initiate port forwarding for the last year or so:

ssh-add -K ~/.ssh/id_rsa
ssh -f admin@ssh.mydomain.com -L 50003:inst3:3389 -N -p 33233
ssh -f admin@ssh.mydomain.com -L 50005:inst5:3389 -N -p 33233
ssh -f admin@ssh.mydomain.com -L 50006:inst6:3389 -N -p 33233

Immediately after running today's OS update to 10.12.4, running this same script generates the following error:

Unable to negotiate with [my routable IP] port 33233: no matching host key type found. Their offer: ssh-dss

Some articles indicated that the problem could be resolved by editing ssh_config and uncommenting a particular line. This approach hasn't worked. I'm still locked out of SSH. For reference, here's a copy of my ssh_config file:

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Protocol 2
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h

I tried uncommenting the line beginning with "MACs hmac-…" but this made no difference. What shall I try next?

Best Answer

no matching host key type found. Their offer: ssh-dss

This error says that the remote server is offering only DSA host key. This is considered weak these days with fixed length of 1024 bits. You should update the server and set up different keys (RSA).

As a workaround, you can use HostKeyAlgorithms +ssh-dss in ~/.ssh/config, which will allow you to connect to this server, exactly as described in the official documentation for legacy algorithms in OpenSSH.

Related Solutions

MacOS – SSH Key Error, sudo works fine

The first time you connect to a server, you are prompted to accept the fingerprint for the host you are connecting to. The fingerprint is a combination of a digital signature, the host name and the IP address of the server. When you do accept, the fingerprint is saved in ~/.ssh/known_hosts as being a "trusted" host.

For some reason, the server's fingerprint has changed since the first time you connected to it. This may be because it is not the server you expect it to be, for example when your request is being intercepted and redirected to a different server. Hence the security warning. The explanation might also be less malicious, for example when the server was replaced/reinstalled without restoring it's previous digital signature, or when the IP address has changed.

If despite the security warning, you still trust the server you are connecting to, you should open ~/.ssh/known_hosts and look for the line starting with the address of the server you are connecting to. Remove the entire line and save your changes, then reconnect to the server. The first time you connect, it should again prompt you to accept the updated fingerprint, after which you should have no more troubles connecting to that host.

The reason why it would work with sudo is because in those conditions you are running it as a different user (root), and each user has it's own known_hosts file (for root this is located at /private/var/root/.ssh/known_hosts). root may have never recorded the previous fingerprint of that host, and therefor has no way of comparing it to the current one, and no reason to distrust the server.

MacOS – SSH works locally but not remotely

If all your machines are running Lion or Mountain Lion, and you're using the same iCloud account on them, then you can use iCloud to ssh as described in this blog post from One Thing Well

First, find your Back To My Mac account number by running.

dns-sd -E

Then SSH to another machine like so

ssh -2 -6 username@computer-name.[account number].members.btmm.icloud.com

You can also add this to your ~/.ssh/config to make it easier

Host mac-remote
User username
HostName computername.[account number].members.btmm.icloud.com
AddressFamily inet6
Protocol 2

Best Answer

Related Solutions

MacOS – SSH Key Error, sudo works fine

MacOS – SSH works locally but not remotely

Related Question