Making MacSSH work with current OpenSSH servers

The OpenSSH team has a habit of turning off ciphers/features every few releases. The rationale behind this decision is open to debate (this breaks compatibility with Cisco switches, for example), but so far they are only disabling by default rather than removing.

So long as it’s just disabled, it’s easy enough to re-enable. Here’s what to tweak when trying to connect a MacSSH client to a OpenSSH server:

  • Add this to sshd_config on the server and bounce the process:
Ciphers                         +aes256-cbc
MACs                            +hmac-md5
KexAlgorithms                   +diffie-hellman-group1-sha1
  • Create a profile for the server in MacSSH. You’ll want to turn compression completely off (it defaults to zlib).
  • If you’re using public key authentication, you must export the public key from MacSSH and run it through ssh-keygen thusly:
ssh-keygen -f ${PUBLIC_KEY_FILE} -i >> ~/.ssh/authorized_keys

That should do it. At some point I may hack a more current version of lsh into MacSSH to add new ciphers into the suite, but this works for now.

About Chris Kobayashi

I'm a security systems engineer, specializing in UNIX, network, and physical security. I'm in Tokyo, and I'm mostly retired now. I'm well-versed in both electrical and software engineering, with a particular interest in old computers and game consoles. You can contact me here.
This entry was posted in Apple, Macintosh (m68k). Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.