Sep 16, 2016 - So it looks like Apple changed the behaviour of the `ssh-agent` in macOS Sierra. Now it does not autoload all the keys in the keychain that were. Workaround: Mac OS X High Sierra 10.13.2 – SSH tries to connect via HTTP proxy Posted on January 2, 2018 by Roy With Mac OS X release 10.13.2 Apple introduced a new bug where OpenSSH will attempt to use any web proxy configured from a DAC file.
The MacOS Sierra upgrade breaking SSH keys After I upgraded MacOS Sierra, my SSH key access to Ubuntu servers broke. I learned that my older ssh-dss (DSA) keys were no longer secure and that I needed to replace them with RSA keys. Updating server keys is always a bit time consuming. If you want more background on this, check out: Here’s what worked well for me: Reactivate Password Authentication Firstly, I logged into my via the virtual host console they offer. With this, I turned back on PasswordAuthentication temporarily on my servers: $ sudo nano /etc/ssh/sshdconfig # Change this back temporarily to yes # Change to no to disable tunnelled clear text passwords PasswordAuthentication yes Then, I reset the SSH service: $ sudo service ssh restart If you can’t access your server in any way, there may be no easy way to regain access without using another device. For example, I use on my iPad.
Create a New RSA Key Next, we’ll create the new RSA key on my Mac. $ ssh-keygen -t rsa You’ll see something like this: $ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/Users/Jeff/.ssh/idrsa): idnewkey Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in idnewkey.
Your public key has been saved in idnewkey.pub. The key fingerprint is: SHA256:aUxJKyyyyyyJW9cTqZxxxxxxCErTmI8 The key's randomart image is: +-RSA 2048-+.B%a.
Fo.+.oo. O.=.+o. o 7 +o o.o. o. O= oS o.
+-SHA256-+ Then, I copied out the public key so I could upload to a sharing service: $ cat /.ssh/idnewkey.pub ssh-rsa AAAAB3NzaC1yxxxxyyyyzzzz123121231jakdljasdasdasdklasjdlakszaC1yxxxxyyyyzzzz123121231jakdljasdasdasdklasjdlakszaC1yxxxxyyyyzzzz123121231jakdljasdasdasdklasjdlakszaC1yxxxxyyyyzzzz123121231jakdljasdasdasdklasjdlakszaC1yxxxxyyyyzzzz123121231jakdljasdasdasdklasjdlaksfTt12MRn [email protected] Upload the New Key to Github Gist Next, I created and pasted the public key into it and saved it. Visiting the raw page for that gist, I copied the URL for the raw content of the Gist. There may be a more obvious way in the UX but I couldn’t find it.
Sign in to Your Server Next, I used password authentication to sign in to my server: $ ssh -p 22 [email protected] And, I performed the following steps to retrieve the public key from Gist and store it on the server. Then, add it to the authorizedkeys file: $ cd $ wget $ cd.ssh $ cat./idnewkey authorizedkeys Verify New Key Authentication to to Your Server Then, I tested it in another terminal window from my Mac: $ ssh -p 22 -i /.ssh/idnewkey [email protected] Everything worked fine! Turn Off Password Access to Your Server Then, I returned to the server and turned off PasswordAuthentication: $ sudo nano /etc/ssh/sshdconfig # Change to no to disable tunnelled clear text passwords PasswordAuthentication no Then, I reset the SSH service: $ sudo service ssh restart And that was it, just a few hours lost hunting down and duplicating the proper steps. It’s odd I didn’t know about this and odd that the Sierra upgrade doesn’t warn you about it as it upgrades OpenSSH behind the scenes.
I am trying to tunnel into a remote EC2 bastion server via ssh because I need to. In the document linked above, in section Remote port forwarding, it says There is one more thing you need to do to enable this.
SSH doesn’t by default allow remote hosts to forwarded ports. To enable this open /etc/ssh/sshdconfig and add the following line somewhere in that config file. So I changed GatewayPorts no GatewayPorts yes and attempted to restart SSH as it stated. It recommends sudo service ssh restart, but I'm on Mac OS Sierra. Says I can start/stop ssh via sudo launchctl unload (or load) /System/Library/LaunchDaemons/ssh.plist but get error /System/Library/LaunchDaemons/ssh.plist: Could not find specified service Things I've tried:. says LaunchAgents is run as a user, not root, which I am doing.
/System/Library/LaunchDaemons/ssh.plist exists. launchctl has subcommand load and unload So what's the problem?