Apple - Did Mojave break SSH login?

1. SSH key bit length

Is your SSH key bit length > 2048? You can use this command to confirm.

$ ssh-keygen -lf ~/.ssh/id_rsa.pub
4096 SHA256:0f7e9153ec1edf81c224fec24c76d3ab1be7010e [email protected] (RSA)

If it's less macOS will refuse to allow it.

2. Cipher Suite Support

Also you should investigate from the client where you're running SSH which cipher suites are being presented to your laptop's SSH server. You can do this using ssh -vvvv .... to see what ciphers are available on your client like so:

$ ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
[email protected]
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]
[email protected]
[email protected]

You'll also want to investigate several other components of the cipher suite.

  • Ciphers: ssh -Q cipher
  • MACs: ssh -Q mac
  • KexAlgorithms: ssh -Q kex
  • PubkeyAcceptedKeyTypes: $ ssh -Q key

The man page's details on -Q as well:

 -Q query_option
         Queries ssh for the algorithms supported for the specified version 2.  The available features
         are: cipher (supported symmetric ciphers), cipher-auth (supported symmetric ciphers that sup-
         port authenticated encryption), mac (supported message integrity codes), kex (key exchange
         algorithms), key (key types), key-cert (certificate key types), key-plain (non-certificate
         key types), and protocol-version (supported SSH protocol versions).

3. IPQoS

There have been reports from newer versions of OpenSSH pertaining to connectivity issues. I've found these as examples:

  • SSH fails on macOS Mojave 10.14.1
  • OpenSSH 7.8 causes VMware Workstation and Player networking SSH bug on Linux VMs #287
  • SSH connections dropped due to QoS flags

The workaround requires adding the following to your ~/.ssh/config:

$ cat ~/.ssh/config
...
...
Host *
  IPQoS throughput

I've seen variations of this so you may need to try low instead of throughput. You can consults the man ssh_config for more details, here's the excerpt for that option:

 IPQoS   Specifies the IPv4 type-of-service or DSCP class for connections.  Accepted values are af11,
         af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4,
         cs5, cs6, cs7, ef, lowdelay, throughput, reliability, a numeric value, or none to use the
         operating system default.  This option may take one or two arguments, separated by white-
         space.  If one argument is specified, it is used as the packet class unconditionally.  If two
         values are specified, the first is automatically selected for interactive sessions and the
         second for non-interactive sessions.  The default is af21 (Low-Latency Data) for interactive
         sessions and cs1 (Lower Effort) for non-interactive sessions.

You can of course pass it via CLI like so as well:

$ ssh -o IPQoS=throughput [email protected]

If find you're not having any luck with the above you may want to try this form instead:

Host *
     IPQoS lowdelay throughput

Several threads mention this form working as well.

References

  • ssh man page

Tags:

Ssh

Mojave

Related

Apple - What can other administrators access on my machine? Apple - How to add permanent environment variable in zsh Apple - How to type dʒ symbol (IPA) on Mac? Apple - Stop Safari 12.1 from auto-submitting forms Apple - App Store: "To update this app, you need to accept it on the Account page" Apple - iPad being using in wall mount battery swollen Apple - How to create a Windows 10 bootable USB on a Mac for PC without Bootcamp, when install.wim is too large Apple - Latest macOS Mojave update (10.14.4) and Mail.app Google accounts issue Apple - Lost one side of AirPods, buy another side to complete the pair Apple - OS X Security Update hangs during restart Apple - My ex-girlfriend uses my Apple ID to log in to her iPad. Do I have to give her my Apple ID password to reset it? Apple - MacBook Pro won't connect to Wi-Fi, with correct password. Error: "The Wi-Fi network requires a WPA2 password"

Recent Posts