ECDSA ssh key on 10.8.2

I used ssh-keygen -t ecdsa to generate an ECDSA key, but I got the error unknown key type ecdsa.

man ssh-keygen says:

 -t type
         Specifies the type of key to create.  The possible values are ``rsa1''
         for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa'' for
         protocol version 2.

Does anyone have any insight on this?


Solution 1:

The manpage describes the ability to generate ECC keys because the version of OpenSSH 5.9p1 (the version that comes with Mountain Lion) can potentially support ECC. However, the actual build of OpenSSH that came bundled with Mountain Lion appears to lack ECC support1. The manpages are not modified when ECC support is not included in the compiled binaries.

If you want or need ECC support, you could use MacPorts (or probably Homebrew) to install a build of OpenSSH that does support ECC. You might run into some incompatibilities though:

  • the bundled ssh-agent (started automatically by launchd) will not be able to handle any ECC keys (you would have to start your own instance of the “custom”-built agent, or type your password each time you use an ECC key with the “custom”-built ssh), and
  • the “custom”-built tools will not have Apple’s patched-in Keychain integration.

1 OpenSSH’s configure script does some checks to make sure that the available OpenSSL library is new enough and includes various bits of ECC functionality; the bundled version of OpenSSL seems to satisfy these requirements. I am not sure why the bundled version of OpenSSH was built without ECC support.

Solution 2:

There are potential patent issues with Elliptic Curve crypto so a lot of vendors chicken out on supporting it for now. It appears to be available in the OSX OpenSSL installation, though, so you'll just need to compile OpenSSH on your own.