ssh-rsa in MacOS Ventura

I updated macOS to Ventura and… I couldn’t log in to the server because my SSH key was rejected.

After upgrading to macOS 13.0 Ventura, I found myself locked out of my server when trying to log in via SSH. My initial thought? "Someone deleted my key." Thankfully, the issue was far less dramatic—Ventura’s version of OpenSSH disables support for RSA keys by default.

plaintext
debug1: SSH2_MSG_NEWKEYS received
...
debug1: Offering public key: /Users/piotr/.ssh/id_rsa RSA 
...
user@server: Permission denied (publickey).

Restoring RSA Key Support

The best long-term solution is to switch to a more secure algorithm, like Ed25519, which is recommended as of this writing. However, when this isn’t immediately feasible, you can re-enable RSA key support by adding the following lines to your SSH configuration:

plaintext
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

Updating Your SSH Configuration

You can place the configuration in one of two files:

  1. Global Configuration: /etc/ssh/ssh_config (requires admin privileges and applies system-wide).
  2. User-Specific Configuration: ~/.ssh/config (recommended for per-user customization).

For convenience and portability, I chose to update my local configuration at ~/.ssh/config. This way, I don’t have to worry about system updates overwriting my settings, and it’s easier to migrate the configuration to a new machine.

Example Configuration File

Here’s what your ~/.ssh/config might look like after the change:

plaintext
Host *
    HostkeyAlgorithms +ssh-rsa
    PubkeyAcceptedAlgorithms +ssh-rsa

Related posts