MacOS Sierra and APICs (SSH)

I upgraded my laptop to MacOS Sierra last night and then was greeted by a fun new error logging into an APIC:

MacBook-Pro:~ Carl$ ssh -l carl 1.1.1.1
Unable to negotiate with 1.1.1.1 port 22: no matching host key type found. Their offer: ssh-dss

Boo! Seems bad yeah? Well it is. Please see this lovely bug here. So more or less this is not impactful, just not so secure. OpenSSH 7.0 deprecated ssh-dss due to its “inherit weakness.” I am not all up to speed with fancy crypto stuff so I will just believe them. In the meantime, until ACI gets on the gravy train with newer/better key exchange algorithms I’ve still got to SSH to stuff. A quick jaunt around Google and the answer is pretty apparent, you can simply define the key exchange algorithm in your SSH line straight from your terminal like so:

MacBook-Pro:~ Carl$ ssh -oHostKeyAlgorithms=+ssh-dss -l carl 1.1.1.1

Kinda a PITA to type huh? If you want to be super lazy, you can edit your ssh config file to always use ssh-dss for a particular host (or * for all hosts if you are feeling frisky) like so:

Host 1.1.1.1

HostkeyAlgorithms +ssh-dss

That file may or may not exist for you, but should live in ~/.ssh/ - this should just use the ssh-dss algorithm as a last resort as far as I understand.

I’ll update this if I find anything else, or if newer versions of code support new algorithms. For what its worth this was tested on ACI 2.0(1o) and macOS Sierra 10.12.