ssh-keygen and rsa Keys
After upgrading a Mac to sierra which is their newest
version of macosx, I discovered that I could no longer ssh
without a password in either direction from the Mac to a debian
system or vice versa. I first thought the system key had changed
but it hadn't.
The short story is that the Mac now uses openssh-7
instead of open-ssh-6. Dsa encryption keys have been declared
obsolete for some time now and openssh-7 defaults to ignoring
any id_dsa.pub keys you might have been using.
The sky is not falling, however. All you have to do to
make things start working as before is generate new rsa keys all
around.
The procedure is identical to the dsa key procedure and
you get a public and private key pair, one of which is id_rsa.pub
which you install in the authorized_keys file on the remote
system and life is beautiful again.
Actually, rsa keys have been in use since the late
seventies but they were encumbered by patent restrictions so the
dsa key came about in the nineties with no licensing issues for
key generating software so open-source and other systems began
using dsa keys.
The information I have read while doing research to solve
the problem basically says that dsa and rsa keys perform about as
well with each having slight advantages. Rsa keys can be made for
different lengths and default to 2048 bits making them harder to
crack via brute force. the patents expired some time ago so as
more systems go to openssh-7, you will find more systems that
won't like your old dsa keys.
This is not really an Apple or a Debian issue so as time
goes by, there will be more times when a rsa key is needed.
I am running debian wheezy plus I have a very old Linux
installation dating back to 2009 and all systems are perfectly
happy using rsa keys now.
The only thing I noticed was that the old debian system
took several seconds to generate the new rsa key. The wheezy
system generated a rsa key as fast as I could buzz through the
two input fields for a password which I didn't need this time.
Martin
Reply to: