SFTP connection issues from macOS Sierra

MacOS Sierra includes an updated version of OpenSSH, the software Transmit 4 uses to connect to SFTP servers. OpenSSH in macOS Sierra disables certain insecure features, which could lead to new connection failures.

If you encounter an error like “no matching host key type found” when Transmit attempts to connect, you will need to modify your SSH settings. The full error looks something like this:

“Unable to negotiate with host.example.org port 22: no matching host key type found. Their offer: ssh-dss”.

The error may vary slightly in some cases. Check the transcript log for details. (Choose Transcript from the Window menu to view the transcript log.)

DSA Keys Are No Longer Considered Secure

In the process of negotiating an SSH connection, the server and client must prove their identities, in this case using keys.

DSA keys are disabled by default in macOS Sierra, as they are no longer considered secure.

ECDSA, ED25519, and RSA (2048-bit and larger) keys are secure alternatives.

Generate New, Secure Keys

If you are getting this “no matching host key type found” error, you’ll need to generate and install new, secure host keys on your server. We recommend ECDSA or RSA keys for maximum compatibility.

ECDSA Key

To generate an ECDSA key, use the following command in a Terminal window:

ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa -b 521

RSA Key

To generate an RSA key, use this command:

ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa -b 4096

If You Must Use Insecure DSA Keys

We highly recommend re-generating server host keys rather than accommodating insecure DSA keys. If you do not have admin access to your server, contact your server administrator and encourage them to generate new keys. If you do not have admin access to your server, and you cannot contact someone who does, it is possible to allow insecure DSA keys on a per-server basis. Open your ~/.ssh/config file in a text editor and add the following:

Host host.example.org
	HostKeyAlgorithms +ssh-dss

More information about supporting obsolete keys can be found on the OpenSSH legacy page.

Help us improve this article!

Note: this form is not for reporting bugs. Report bugs here!