最近Fedora33上配置ssh连接到gitee出现错误:
Permission denied (publickey)
查看具体信息:
$ ssh -vT git@gitee.com
OpenSSH_8.4p1, OpenSSL 1.1.1i FIPS 8 Dec 2020
...
debug1: Connecting to gitee.com [212.64.62.183] port 22.
debug1: Connection established.
...
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version Basalt-3.0.0
debug1: no match: Basalt-3.0.0
debug1: Authenticating to gitee.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
...
debug1: send_pubkey_test: no mutual signature algorithm
...
git@gitee.com: Permission denied (publickey).
怀疑是升级后OpenSS版本太新,有一些协议变动导致出错。
关键信息是最后一个debug信息: no mutual signature algorithm(没有互签名算法)
跳到官网信息:
Future deprecation notice
It is now possible[1] to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm that depends on SHA-1 by default in a near-future release.
This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs.
机器翻译:
未来弃用通知
========================现在可以[1]对SHA-1哈希算法的费用低于5万美元。 因此,我们将禁用“ ssh-rsa”公钥签名算法,该算法取决于在近期版本中,默认情况下在SHA-1上使用。
不幸的是,尽管存在更好的替代方案,是唯一剩下的公钥原始SSH RFC指定的签名算法。
SHA-1这算法要费用??所以禁用ssh-rsa签名算法??
看不懂,所以直接换一个签名算法。先到gitee看看它支持什么:
支持以 'ssh-rsa', 'ssh-dss', 'ssh-ed25519', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384' or 'ecdsa-sha2-nistp521' 开头
所以调选一个除了ssh-rsa的签名算法然后生成新的密钥,例如
ssh-keygen -t ed25519 -C "your_email@example.com"
剩下的就是官方指导了。
#############################################################################
网上其他解决方案都不是最恰当的:
1 - 修改配置
sudo gedit /etc/ssh/sshd_config
PermitRootLogin prohibit-password to PermitRootLogin yes
PasswordAuthentication no to PasswordAuthentication yes
2 - 硬要用过时的rsa
ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' hostname