SSH and Ventura

This is just a heads up for those who remotely log in to their Mac using SSH and public key authentication.

The current public beta of Ventura ships with OpenSSH_9.0p1. According to the OpenSSH release notes:

This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K

If you generated RSA keys using just ssh-keygen without specifying a key type you probably ended up with RSA signatures using the now deprecated SHA-1 hash algorithm. This will prevent you from logging in to your Mac with the public key.

A workaround is suggested in this Reddit thread: SSH in Ventura.

A better solution is to generate keys based on a more secure hash algorithm such as ed25519 which you can generate like this:

ssh-keygen -t ed25519 -C "comment"

The “comment” can be used to identify the machine on which the key was generated or anything else you want.

1 Like

Time to go an re-generate my keys for the first time in years. And now go re-upload public keys to servers all over the place. :frowning: