User profile for user: ultralame
ultralame Author
User level: Level 1
7 points

SSH Access in MacOS Sonoma 14.3 not accepting RSA for key exchange, even after adding RSA to config

I have an older piece of code that establishes the connection to the mac, for the purposes of key exchange, with RSA.


Since Ventura, I cannot initiate an ssh connection with the mac out of the box. I need to modify the ssh_config (or my user's .ssh/config) with the following:


HostkeyAlgorithms +ssh-rsa

PubkeyAcceptedAlgorithms +ssh-rsa


This has worked all the way through Sonoma 14.1


However, I have received a new mac mini with 14.3 installed, and this is not working anymore.


I have tried adding that, as well as...


PubkeyAcceptedKeyTypes +ssh-rsa

HostkeyAlgorithms +ssh-dss, +ssh-rsa

PubkeyAcceptedAlgorithms +ssh-rsa

KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1


Nothing seems to work. In the code, I get this error: Unable to exchange encryption keys


Using OpenSSH on the same client machine, it works. I think it's something to do with the initial key exchange, but I can't even find information on how to have the ssh tool use those keys for testing.


The developer is not updating the code anymore, and I have built something on top of it.


Any ideas?

Mac mini (M2, 2023)

Posted on Feb 2, 2024 9:11 AM

Reply

Similar questions

1 reply
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
144,725 points

Feb 2, 2024 11:07 AM in response to ultralame 

ssh -vvv user@server.example.com


That’ll be really chatty. Don’t post it, or if you do decide to post it, then consistently search-and-global-replace the host names and the IP addresses before posting.


Examine what is on offer from the client and what is available on the server, and downgrade the server to match what the client can offer.


The four parts of this ssh negotiation are the host key algorithms available, the ciphers available, the key exchange, and the MAC available. On both ends; both client, and server.


IIRC, it is usually possible to downgrade the incoming connection just for specific incoming clients, but it’s been a while since I’ve looked into that. I’m usually trying the other way; to connect from newer into older, and which is a slightly easier mess.


Some related docs for a common ssh server: https://www.openssh.com/legacy.html


PS: above assumes the client app isn’t doing something local, or creative, and is paralleling the default ssh client.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

SSH Access in MacOS Sonoma 14.3 not accepting RSA for key exchange, even after adding RSA to config

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up