The MacOS Sierra upgrade breaking SSH keys

After I upgraded MacOS Sierra, my SSH key access to Ubuntu servers broke. I learned that my older ssh-dss (DSA) keys were no longer secure and that I needed to replace them with RSA keys.

Updating server keys is always a bit time consuming. If you want more background on this, check out: Secure Your Instance

Here’s what worked well for me:

Reactivate Password Authentication

Firstly, I logged into my Digital Ocean droplets via the virtual host console they offer. With this, I turned back on PasswordAuthentication temporarily on my servers:

$ sudo nano /etc/ssh/sshd_config

# Change this back temporarily to yes
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

Then, I reset the SSH service:
$ sudo service ssh restart

If you can’t access your server in any way, there may be no easy way to regain access without using another device. For example, I use Panic’s Prompt 2 SSH App on my iPad.

Create a New RSA Key

Next, we’ll create the new RSA key on my Mac.
$ ssh-keygen -t rsa

You’ll see something like this:
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/Jeff/.ssh/id_rsa): id_newkey
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_newkey.
Your public key has been saved in id_newkey.pub.
The key fingerprint is:
SHA256:aUxJKyyyyyyJW9cTqZxxxxxxCErTmI8
The key's randomart image is:
+---[RSA 2048]----+
|*B%a .. |
| Fo.+.oo |
|. o C. o |
| ..=..+o.. |
| o 7 +o o |
|.==o.... . |
| o . o.. |
| . o= oS o. |
| . ... |
+----[SHA256]-----+

Then, I copied out the public key so I could upload to a sharing service:
$ cat ~/.ssh/id_newkey.pub
ssh-rsa AAAAB3NzaC1yxxxxyyyyzzzz123121231jakdljasdasdasdklasjdlakszaC1yxxxxyyyyzzzz123121231jakdljasdasdasdklasjdlakszaC1yxxxxyyyyzzzz123121231jakdljasdasdasdklasjdlakszaC1yxxxxyyyyzzzz123121231jakdljasdasdasdklasjdlakszaC1yxxxxyyyyzzzz123121231jakdljasdasdasdklasjdlaksfTt12MRn Jeff@Skybook-Pro.local

Upload the New Key to Github Gist

Next, I created a new private Gist and pasted the public key into it and saved it.

Visiting the raw page for that gist, I copied the URL for the raw content of the Gist. There may be a more obvious way in the UX but I couldn’t find it.

Sign in to Your Server

Next, I used password authentication to sign in to my server:
$ ssh -p 22 superjeff@webstar.lookingatyour.com

And, I performed the following steps to retrieve the public key from Gist and store it on the server. Then, add it to the authorized_keys file:

$ cd ~
$ wget https://gist.githubusercontent.com/newscloud/415axxxxyyyyyzzzz123axxxxyyyyyzzzz123axxxxyyyyyzzzz12392/id_newkey
$ cd .ssh
$ cat ../id_newkey >> authorized_keys

Verify New Key Authentication to to Your Server

Then, I tested it in another terminal window from my Mac:
$ ssh -p 22 -i ~/.ssh/id_newkey superjeff@webstar.lookingatyour.com
Everything worked fine!

Turn Off Password Access to Your Server

Then, I returned to the server and turned off PasswordAuthentication:
$ sudo nano /etc/ssh/sshd_config

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

Then, I reset the SSH service:
$ sudo service ssh restart

And that was it, just a few hours lost hunting down and duplicating the proper steps.

It’s odd I didn’t know about this and odd that the Sierra upgrade doesn’t warn you about it as it upgrades OpenSSH behind the scenes.

Posted by Jeff Reifman

Jeff is a technology consultant based in the Pacific Northwest. Try scheduling a meeting with his new startup Meeting Planner (https://meetingplanner.io), simpler, faster scheduling for work or play and read his series about building it). Follow @reifman on Twitter.