Hello, I have a problem to connect my servers with my previously stored private ssh keys in .ssh folder through terminal commands or third party apps. I should mention that I've enabled the filevault during the upgrade process. I can see that my passphases are stored in the keychain, but I need to enter my password every time I want to connect to the severs.
MacBook Pro with Retina display, macOS Sierra (10.12), null
I also had this problem, and it was very tricky to find the fix. My /var/log/system.log files only said the following, no matter what LogLevel setting (even DEBUG3) I put in /etc/ssh/sshd_config
com.apple.xpc.launchd com.openssh.sshd : Service exited with abnormal code: 255
By running the sshd command by hand I discovered the problem:
$ sudo /usr/sbin/sshd -p 8022
/var/empty must be owned by root and not group or world-writable.
The fix:
ls -ld /var/empty
sudo chown root /var/empty
sudo chgrp -R wheel /var/empty
sudo chmod go-w /var/empty
Also, a couple points on ssh security for macOS. Making these changes will reduce brute force attempts on your ssh server to very nearly nothing.
1. Harden the sshd configuration with pointers from this page, https://stribika.github.io/2015/01/04/secure-secure-shell.html
awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
wc -l "${HOME}/moduli" # make sure there is something left
sudo cp "${HOME}/moduli" /etc/ssh/moduli
cd /etc/ssh
rm ssh_host_*key*
ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null
In /etc/ssh/sshd_config:
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Protocol 2
# RSA keys are required for some ssh clients
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
In /etc/ssh/ssh_config:
Host *
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
2. Install a privatizing firewall that catches and blackholes brute force attempts from here, https://github.com/essandess/osxfortress.
You can use the pf firewall to verify and examine the number of brute force attacks:
sudo pfctl -t bruteforce -Ts
If you want more details on the attacks, install snort: Re: Snort and Barnyard and Base and Swatch on Mountain Lion OS X Server
Hello Mériam,
The problem is the ssh-agent does not automatically load passphrases on the keychain during startup.
> As you check the status of the ssh keys in the agent “ssh-add -l”. It shows the agent has no identities.
> You can add the old keys to the keychain by entering “ssh-add -K <keyfile>” again. It prompts for the passphrase and saves them to the keychain.
> Now SSH authentication should works fine, but you need to run “ssh-add -A” after each logout/login OR just add “ssh-add -A” in your rc script to load the keys.
Hello Mériam,
Try creating a new ssh key. I think Sierra includes updated crypto logic and it doesn't like really old keys.
SSH keys not working after macOS Sierra Update
