macOS Tahoe disables ssh-dss

The only way around this right now is building OpenSSH 9.7p1 (the last version that allowed `ssh-dss` at the compile level) like so:

Step 1: Get an older version of openssl , via

brew install openssl@3.0 

Step 2: Get the old source code for Openssh 9.7p1, which macOS Sonoma ships with: (feel free to get an older version, but take note of the OpenSSL dependency)

cd ~/Downloads
# Download the Portable version of OpenSSH 9.7p1
curl -O https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz
tar zxf openssh-9.7p1.tar.gz
cd openssh-9.7p1

Step 3: Configure make in the OpenSSH directory like so: (this is for Apple Silicon, hence the ARM flags)

export CFLAGS="-arch arm64"
export LDFLAGS="-arch arm64"
OPENSSL_PATH=$(brew --prefix openssl@3.0)
INSTALL_PATH=$HOME/openssh97

./configure --prefix=$INSTALL_PATH --with-ssl-dir=$OPENSSL_PATH

Step 4: Finally, make the binaries:

make
make install

Done! sftp and ssh should be usable now, via ~/openssh97/bin. Sample usage:

~/openssh97/bin/ssh -i ~/.ssh/id_rsa -oHostKeyAlgorithms=+ssh-dss myuser@host
# or
~/openssh97/bin/sftp -oHostKeyAlgorithms=+ssh-dss anotheruser@anotherhost

Put in your desired +ssh-dss flag wherever you like, either inline or in ~/.ssh/config.

You can also use a Docker image like another dude here but IMO that's a bit overkill.

Hope it helps!

After upgrading macOS, OpenSSH 10.0 no longer supports deprecated algorithms like ssh-dss. Here's how to fix it:

 Step 1: Check what's supported

 ssh -Q HostKeyAlgorithms

 Step 2: Update your SSH config

 Edit ~/.ssh/config and replace any lines with +ssh-dss with:

 Host [your-server-ip]

  HostKeyAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512

  PubkeyAcceptedAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512

 Step 3: Remove conflicting host keys

 If you get a "host identification has changed" error:

 ssh-keygen -R [your-server-ip]

 Step 4: Connect and accept new key

 ssh -o StrictHostKeyChecking=accept-new user@server

This worked for my Ubuntu server running OpenSSH 8.2. The key is using RSA variants instead of trying to force deprecated DSS support.

I had this issue also after updating bigsur to tahoe...

my solution :

Install docker .

then run in terminal :

docker run -it --rm alpine:3.10 /bin/sh

it will run a new shell with a linux alpine 3.10

in this shell run

apk add openssh

then connect to the server ( mine accepted only ssl-dss)

ssh -o PubkeyAcceptedKeyTypes=+ssh-dss -o HostKeyAlgorithms=+ssh-dss root@192.168.1.xx

replace root@192.168.1.xx by your login and server IP.

toumbi wrote:

It is using version 8.1 of openssl according to the logs and this support ssl-dss:

OpenSSH 8.1 is about six years old.

Current OpenSSH is 10.2.

OpenSSH 7.0 and later disabled ssh-dss by default..

For compatibility with older (and insecure) hosts: https://www.openssh.org/legacy.html

Per OpenSSH: “The only remaining use of DSA at this point should be deeply legacy devices.”

Options? VPN into a VPN server on the legacy network, and use telnet to connect to the legacy server.

If you can’t use a VPN and telnet or such, then you’ll need to install and use an older version of OpenSSH, or another ssh tool. Or update the ssh server in the legacy servers, of course.

As for ssh-dss, it’s gone: https://lwn.net/Articles/958048/

toumbi wrote:

I had this issue also after updating bigsur to tahoe...

my solution :

Install docker .

…

in this shell run

apk add openssh

You’ll need an older openssh too, as it is OpenSSH that finally ended dss.

toumbi wrote:

Listen , it s not the subject , I know it's obselete, everyone knows it. But what solution do you propose for the creator of this thread ? He said : "I still have legacy network infrastructure that requires the use of legacy SSH algorithms, specifically ssh-dss."

In my case I had access to ssh on an old NAS that i'm still using at home. I don't care about security on that one and this NAS can not be updated . So what ? I should stop using my Nas after i update my OS ?

I did not find a lot of solutions .... so I share mine . ( not the best maybe ) .

So MrHoffman ? How do you do to access my NAS that accept only ssh-dss on ssl , no telnet no vpn (with tahoe)?

For compatibility with older (and insecure) hosts, and how to (try to) downgrade an ssh connection, see the previously-mentioned:

• https://www.openssh.org/legacy.html

I’ve successfully used various ssh options to access various enterprise gear with outdated key exchange and other features, enterprise gear which can unfortunately be quite outdated.

Here, I’d look to upgrade or to replace the NAS with newer support, or to load ZimaOS or TrueNAS on some spare x86-64 hardware, or configuring NAS functions on spare a RPi as is presently being discussed elsewhere here in ASC.

I’m hesitant to recommend keeping older NAS in active use, as some older NAS boxes have gotten pwned hard — including Synology and QNAP exploits announced this month, and more than a few D-Link NAS options with unpatched exploits (from last year). Some of these NAS vulnerabilities can be exploited remotely.

When any gear has gone on long enough that it has fallen off ssh compatibility, it’s Got Issues with its security.

Configure a bastion host* in front of whatever box is still requiring ssh-dss, or maybe see if the target box supports something else like ssh certificate authentication and can avoid needing ssh-dss.

But I’d still want a bastion host (accessed via ssh or other VPN) installed, pending replacement or upgrade of the target box. This given breaches in flat networks are Bad. Could be an RPi or any spare Arm or x86-64 box, or can be a cross-VLAN or tunneling rule configured within a purpose built VLAN-capable router.

*Also sometimes called a jump box or jump server.

That algorithm was permanently disabled in the upstream OpenSSH software.

You would need to download old source code and try building an older version yourself.

It is using version 8.1 of openssl according to the logs and this support ssl-dss:

docker run -it --rm alpine:3.10 /bin/sh -c "apk add openssh;ssh -o PubkeyAcceptedKeyTypes=+ssh-dss -o HostKeyAlgorithms=+ssh-dss root@192.168.1.17"




fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
(1/9) Installing openssh-keygen (8.1_p1-r0)
(2/9) Installing ncurses-terminfo-base (6.1_p20190518-r2)
(3/9) Installing ncurses-libs (6.1_p20190518-r2)
(4/9) Installing libedit (20190324.3.1-r0)
(5/9) Installing openssh-client (8.1_p1-r0)
(6/9) Installing openssh-sftp-server (8.1_p1-r0)
(7/9) Installing openssh-server-common (8.1_p1-r0)
(8/9) Installing openssh-server (8.1_p1-r0)
(9/9) Installing openssh (8.1_p1-r0)
Executing busybox-1.30.1-r5.trigger
OK: 11 MiB in 23 packages
The authenticity of host '192.168.1.17 (192.168.1.17)' can't be established.
DSA key fingerprint is SHA256:=======EDITEDCONTENT=====
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.17' (DSA) to the list of known hosts.
root@192.168.1.17's password: 




BusyBox v1.20.2 (2014-10-30 15:26:14 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.


root@WDMyCloudMirror root #

Listen , it s not the subject , I know it's obselete, everyone knows it. But what solution do you propose for the creator of this thread ? He said : "I still have legacy network infrastructure that requires the use of legacy SSH algorithms, specifically ssh-dss."

In my case I had access to ssh on an old NAS that i'm still using at home. I don't care about security on that one and this NAS can not be updated . So what ? I should stop using my Nas after i update my OS ?

I did not find a lot of solutions .... so I share mine . ( not the best maybe ) .

So MrHoffman ? How do you do to access my NAS that accept only ssh-dss on ssl , no telnet no vpn (with tahoe)?

I am trying to add this to my MAC as well, but when I finally get to the finish line, I still get the "ssh-dss" bad key type error calling out the handful of lines in my .ssh/config file where I have appended it for a particular host. When I ssh -Q HostKeyAlgorithms, that Algo is not listed. So I am thinking despite adding openssh97, it is not using that ssh file on my MAC. Is there another step missing needed to help my .ssh/config file understand where the "ssh-dss" Algo resides (since it is not in the Tahoe user/bin/ssh any more)? I am trying to figure out how to point to openssh97 path to get that Algo appended? Any help would be greatly appreciated.

Also you can chain the command in one line :

docker run -it --rm alpine:3.10 /bin/sh -c "apk add openssh;ssh -o PubkeyAcceptedKeyTypes=+ssh-dss -o HostKeyAlgorithms=+ssh-dss root@192.168.1.17"