Wednesday, November 2, 2022

Ventura Drops Older SSH Support

Richard Staats (via Charlie Stross):

The reason for this issue is that MacOS 13 ships with OpenSSH_9.0p1 which has disabled RSA signatures on SHA-1 hash algorithms. If upgrading OpenSSH on the server and/or regenerating your SSH key isn’t an option you can workaround this issue by adding the following to your ~/.ssh/config file[…]

Update (2022-12-01): Stefan Reitshamer:

If you’re using Arq 7 to connect to a macOS Ventura SFTP server and you’re getting the error “Username/PublicKey combination invalid”, it may be due to Ventura’s upgrade to OpenSSH 9.1.

2 Comments RSS · Twitter

"Drops" is a strong word when it can still be configured on, but is just off by default for security.

It’s really the OpenSSH project that disabled ssh-rsa by default and it is a security issue. “rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) have been available since OpenSSH 7.2 in 2016. These protocols use the same keys as ssh-rsa.

If you are affected by this it means you don’t have ssh sha2 support in your sshd. That means you are running a server that hasn’t been patched for years and if that’s on the Internet, it’s just irresponsible.

Leave a Comment