How to Fix SSH Not Working on MacOS Ventura / Sonoma
Some Mac users have discovered that SSH is not working on their Mac since updating to macOS Ventura 13 or newer, including Sonoma. Typically they’ll see an error message when attempting to ssh into another server along the lines of “no matching host key type found. Their offer: ssh-rsa“.
The apparent reason for this issue is that the version of OpenSSH that ships with MacOS Ventura disables RSA signatures by default, thus you can resolve the problem by either using a more secure hash, or by simply allowing for RSA signatures. We’ll show you how to do the latter.
We’re going to use nano because it’s easy and user friendly, but you’re welcome to use vi/vim or whatever text editor of your choice.
How to Fix SSH Not Working with RSA Signatures on macOS Sonoma / Ventura
We’re going to modify the ssh_config file to allow for RSA host key again, here’s how to do this.
Open the Terminal (via Spotlight or through the Utilities folder) and enter the following command string:
sudo nano /etc/ssh/ssh_config
You’ll need to authenticate with the admin password.
Scroll all the way to the bottom of the ssh_config file and then add the following lines to the bottom of ssh_config:
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
Hit Control+O to save, and Control+X to exit.
Try using SSH to connect to a server with RSA keys again, it should work as intended.
While you’re at the command line, you can always enable ssh from Terminal as well if you’d like, allowing for inbound ssh connections to your Mac. For example, maybe you want to remotely access your Mac from the command line from an iPad or another computer, and this would allow for that.
This error can appear even after confirming that SSH is turned on for MacOS, which shouldn’t have any impact on outbound ssh connections anyway, but some users report has resolved their difficulties so try that too, and obviously that would make a difference if the computer you’re trying to connect to is a Mac running SSH, since some Mac users have found that SSH is disabled by default in MacOS Ventura & macOS Sonoma even if it was enabled previously before they updated system software.
Your method of adding two lines into /etc/ssh/ssh_config solved my problems with ssh on Ventura. But I just updated my mac to Sonoma and ssh is not working again and adding the two lines in /etc/ssh/ssh_config doesn’t solve the problem. Do you have any other suggestions? Thanks.
The same fix works for some macOS Sonoma users, but there are also known issues with SSH on Sonoma
https://discussions.apple.com/thread/255163011
Frustrating, I know. Some SSH connections will timeout.
It may help to file a bug report with Apple.
Tried this still unable to ssh to this Ventura box
Tried this still unable to ssh to this stupid Ventura box
This article should warn that by following its example, you are weakening the security of your SSH connections. RSA signatures have not been disabled in the Ventura update; only weak RSA signatures that use the SHA-1 hash mechanism have. RSA signatures are still present in the form of stronger SHA2-based signatures.
However, the error suggests that the server you are connecting to is so old and out-of-date that it does not implement these new signature types. That itself is a warning too. Get the server patched to avoid the error in the first place.
May I suggest it is better to leave your /etc/ssh/ssh_config file alone and instead create a file within /etc/ssh/ssh_config.d/ (the convention is to call it something like 100.enable-rsa) with the desired commands. That way if you make any mistakes — or the SSH server you’re using is updated to use a more secure encryption algorithm — you can simply delete /etc/ssh/ssh_config.d/100.enable-rsa. Also, any MacOS upgrades that change the default settings in /etc/ssh/ssh_config are less likely to cause issues.
To find out how this works, you can read the comments for the Include directive in /etc/ssh/ssh_config:
# This Include directive is not part of the default ssh_config shipped with
# OpenSSH. Options set in the included configuration files generally override
# those that follow. The defaults only apply to options that have not been
# explicitly set. Options that appear multiple times keep the first value set,
# unless they are a multivalue option such as IdentityFile.
Include /etc/ssh/ssh_config.d/*
I did what was said in the above article. How do I revert the changes I made?
I made the change and I want to revert it. How do I do that?
You can also add this to a specific user’s ~/.ssh/config like so:
Host *
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
In fact, probably the best approach if you need to do this is to scope it to only specific hosts like so:
Host some.host.name
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
Thanks to OSXDaily for writing this article so I could find it during my Google search, and to commenters Lee, Damon and Nate for providing more secure ways to get the job done and good advice about updating the host as being the best solution. Appreciate it all
I understand your instructions for “How to Fix SSH Not Working on MacOS Ventura”
I do not understand whether, as a typical user even need to do trhis. Will something bad happen if I do this fix “just to be safe?”
MacBook Air 2020
OS Ventura 13.1
Thank you.
As a typical user you should not do this. The only circumstances where a user should consider doing this is if a SSH server with which they need to connect is using an older, insecure encryption algorithm, causing the error cited in the article. Even in this situation, the better approach is to update the SSH server so that it uses a more contemporary, secure encryption algorithm.