PSA: SSH Suddenly Asks for Passwords in OS X

Background

If you're an OS X user who uses SSH keys to SSH to remote machines and have just updated to Sierra you may have noticed that SSH has suddenly started asking for a password. My situation is that I've upgraded my MacBook Pro but not yet my iMac. I can no longer SSH into the iMac from my MacBook Pro without giving a password. I am able to SSH into a remote Linux machine using the SSH RSA key.

There are two things going on here, I think. The first is that I think Sierra now requires an RSA key rather than a DSA key. This is for security reasons and something that Linux did a while ago. I can't find any mention of this in the Sierra release notes but it's consistent with what I'm seeing.

On the remote Linux host, SSHD will look for the RSA key in either the authorized_keys or authorized_keys2 file but OS X specifically configures SSHD to look for keys only in the authorized_keys file. This means that you have to add your id_rsa.pub key to the authorized_keys file on a remote OS X machine. Once I did that, everything was back to normal and I no longer had to supply a password.

Summary

If you suddenly find yourself needing to supply a password for SSH operations you should check that you are using an RSA key rather than a DSA key. You may have to generate an RSA key if you don't have one. You should then add this key to authorized_keys on any Macs you are trying to access. Other machines may require the key be added to authorized_keys2 instead. If you're not sure which to use, just add the key to both files.

This entry was posted in General and tagged , . Bookmark the permalink.