Any ideas? This was fine until I took the update this morning
sign_and_send_pubkey: no mutual signature supported
OSX 10.14.1
MacBook Pro (15-inch, 2018), macOS Mojave (10.14.1)
This appears to be a bug in OpenSSH 7.8p1 (introduced in: https://github.com/openssh/openssh-portable/commit/4ba0d54794814ec0de1ec87987d0c 3b89379b436 and fixed in https://github.com/openssh/openssh-portable/commit/ebfafd9c7a5b2a7fb515ee95dbe0e 44e11d0a663). I've raised a bug (is it still a radar?) about this (id 45769139) in bugreport.apple.com.
Essentially, because the signature algorithm name doesn't match (because of the invalid "ssh-" on the front in the certificate case), it can't match against the EXT_INFO server-sig-algs sent by the server. It's fixed by OpenSSH 7.9p1.
Oh wait, I missed that your cert was a DSA one, my other posted fix is only for RSA certificates. Either way, the upgrade in OpenSSH removes ssh-dss and ssh-dss-cert-v01@openssh.com from the default PubkeyAcceptedKeyTypes.
A config:
Host *
PubkeyAcceptedKeyTypes +ssh-dss-cert-v01@openssh.com,ssh-dss
in your ~/.ssh/config should fix the issue.
In my case, I added PubkeyAcceptedKeyTypes +ssh-dss in ~/.ssh/config
I just created a new more secure ssh key and now it's working again.
I was wondering if Apple has hardened the requirements because my cert is 128bit DSA and was wondering if they only supported 256 and up or something like that. I was waiting to see what kind of responses I got on here before recreating the certs that I have had for years for ssh.
Same issue here. Since the update, pushing to my git repository via ssh does not work anymore (same error message).
Sorry this might be a obvious question but that is on the client (the mac running Mojave) or on the system that you are trying to connect to?
Thanks
Paul
PubkeyAcceptedKeyTypes is a client option, but that won't fix the ssh-certificate issue. Unfortunately the fix is in code (because you need all the types and options to match correctly).
Thank you everyone. I went with the config option for right now.
And I missed the edit window for this, so:
PubkeyAcceptedKeyTypes is a client option, but that won't fix the (RSA) ssh-certificate issue. Unfortunately the fix for that is in code (because you need all the types and options to match correctly).
Because I typed this too quickly (without seeing the reply properly) and because I've spent the last 3 hours debugging the RSA certificate problem, I was too quick to see the deprecated default support for DSA in OpenSSH 7.8p1.
This fix will work for DSA keys on the client, but as per my other reply, you need the ...-cert-v01@... form as well for DSA certificates
After upgrading to OSX 10.14.1 I get sign_and_send_pubkey: no mutual signature supported when trying to use ssh with a certificate
