最近Fedora33上配置ssh连接到gitee出现错误：

Permission denied (publickey)

查看具体信息： 

$ ssh -vT git@gitee.com
OpenSSH_8.4p1, OpenSSL 1.1.1i FIPS  8 Dec 2020
...
debug1: Connecting to gitee.com [212.64.62.183] port 22.
debug1: Connection established.
...
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version Basalt-3.0.0
debug1: no match: Basalt-3.0.0
debug1: Authenticating to gitee.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
...
debug1: send_pubkey_test: no mutual signature algorithm
...
git@gitee.com: Permission denied (publickey).

怀疑是升级后OpenSS版本太新，有一些协议变动导致出错。

关键信息是最后一个debug信息： no mutual signature algorithm（没有互签名算法）

谷歌搜到 https://confluence.atlassian.com/bitbucketserverkb/ssh-rsa-key-rejected-with-message-no-mutual-signature-algorithm-1026057701.html

跳到官网信息：

Future deprecation notice

It is now possible[1] to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm that depends on SHA-1 by default in a near-future release.

This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs.

机器翻译：

未来弃用通知
========================

现在可以[1]对SHA-1哈希算法的费用低于5万美元。 因此，我们将禁用“ ssh-rsa”公钥签名算法，该算法取决于在近期版本中，默认情况下在SHA-1上使用。

不幸的是，尽管存在更好的替代方案，是唯一剩下的公钥原始SSH RFC指定的签名算法。 

SHA-1这算法要费用？？所以禁用ssh-rsa签名算法？？

看不懂，所以直接换一个签名算法。先到gitee看看它支持什么：

支持以 'ssh-rsa', 'ssh-dss', 'ssh-ed25519', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384' or 'ecdsa-sha2-nistp521' 开头 

所以调选一个除了ssh-rsa的签名算法然后生成新的密钥，例如

ssh-keygen -t ed25519 -C "your_email@example.com"

 剩下的就是官方指导了。

#############################################################################

网上其他解决方案都不是最恰当的：

1 - 修改配置

sudo gedit /etc/ssh/sshd_config
PermitRootLogin prohibit-password to PermitRootLogin yes 
PasswordAuthentication no to PasswordAuthentication yes

2 - 硬要用过时的rsa

ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' hostname