如果有兴趣就看下探究过程,没耐心的话,则直接滑到最底部,看解决方法即可
问题描述
升级 Macos 系统到 Ventura 时,git clone 时操作遇到了 Permission denied (publickey) 的问题;起初我怀疑是我的密钥对出问题了,于是乎我一顿输出
ssh-keygen -t rsa -C '*****'
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/rys/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/rys/.ssh/id_rsa
Your public key has been saved in /Users/rys/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:4Y5v1pCFjjECXyHOjsvG+Vf3uyVFG1mWIUi2HRKDXBg rys
The key's randomart image is:
+---[RSA 3072]----+
| . ...E*Boo .=|
| .o .. +..= o= |
| oo. .. . .+ |
| oo o.... . o |
| . .. =So o |
| o o .o= . . |
| * ...+ .. . |
| . . ..o . .o |
| .. o. oo |
+----[SHA256]-----+
添加公钥到 gitlab 上, 然后 ssh -Tv git.*****.com
得到 Permission denied (publickey,gssapi-keyex,gssapi-with-mic) 然后仔细查看log
OpenSSH_9.0p1, OpenSSL 1.1.1q 5 Jul 2022
debug1: Reading configuration data /Users/rys/.ssh/config
debug1: /Users/rys/.ssh/config line 11: Applying options for git.****.com
debug1: Reading configuration data /opt/homebrew/etc/ssh/ssh_config
debug1: Connecting to git.*******.com [172.***.**.241] port 22.
debug1: Connection established.
debug1: identity file /Users/rys/.ssh/id_rsa type 0
debug1: identity file /Users/rys/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version `OpenSSH_6.6.1`
debug1: compat_banner: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000002
****************************************************************
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:Jm3VAXOSYh/9zs3epg1vx/fND5E9C4M8neWw+XkXy6o
debug1: Host 'git.********.com' is known and matches the ED25519 host key.
debug1: Found key in /Users/rys/.ssh/known_hosts:1
debug1: Will attempt key: /Users/rys/.ssh/id_rsa RSA SHA256:4Y5v1pC****************VFG1mWIUi2HRKDXBg explicit
****************************************************************
# 支持的认证方法 (publickey, gssapi-keyex, gssapi-with-mic)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/rys/.ssh/id_rsa RSA SHA256:4Y5v1pC***************VFG1mWIUi2HRKDXBg explicit
****************************************************************
debug1: send_pubkey_test: no mutual signature algorithm (无互相签名算法)
debug1: No more authentication methods to try.
debug1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
然后我把 同样的公钥生成放到 github.com;
ssh -Tv git@github.com
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version `babeld-d975cc25`
debug1: compat_banner: no match: babeld-d975cc25
debug1: Authenticating to github.com:22 as 'git'
***********************************************
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex_input_ext_info: server-sig-algs=<
ssh-ed25519-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp256-cert-v01@openssh.com,
sk-ssh-ed25519-cert-v01@openssh.com,
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
rsa-sha2-512-cert-v01@openssh.com,
rsa-sha2-256-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
sk-ssh-ed25519@openssh.com,
sk-ecdsa-sha2-nistp256@openssh.com,
ssh-ed25519,ecdsa-sha2-nistp521,
ecdsa-sha2-nistp384,
ecdsa-sha2-nistp256,
rsa-sha2-512,
rsa-sha2-256,
ssh-rsa>
***********************************************
Hi ********! You've successfully authenticated, but GitHub does not provide shell access.
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 4960, received 2512 bytes, in 2.6 seconds
Bytes per second: sent 1887.5, received 956.0
debug1: Exit status 1
然后我把 同样的公钥生成放到 gitee.com;
debug1: identity file /Users/rys/.ssh/id_rsa type 0
debug1: identity file /Users/rys/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version `ssh-pilot-1.5.9`
debug1: compat_banner: no match: ssh-pilot-1.5.9
debug1: Authenticating to gitee.com:22 as 'git'
***********************************************
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
***********************************************
Hi rys! You have successfully authenticated, but GITEE.COM does not provide shell access.
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3128, received 2040 bytes, in 0.1 seconds
Bytes per second: sent 27818.0, received 18142.2
debug1: Exit status 0
<----------------------------- 完整的一份日志 -------------------------->
# 第一阶段, 双方确认协议 版本号和ssh版本号
OpenSSH_9.0p1, OpenSSL 1.1.1q 5 Jul 2022
debug1: Reading configuration data /Users/rys/.ssh/config
debug1: /Users/rys/.ssh/config line 18: Applying options for gitee.com
debug1: Reading configuration data /opt/homebrew/etc/ssh/ssh_config
debug1: Connecting to gitee.com [212.64.63.215] port 22.
debug1: Connection established.
# 查找身份文件, 成功返回0, 失败返回-1;
debug1: identity file /Users/rys/.ssh/id_rsa type 0
debug1: identity file /Users/rys/.ssh/id_rsa-cert type -1
# 验证版本
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version ssh-pilot-1.5.9
debug1: compat_banner: no match: ssh-pilot-1.5.9
debug1: Authenticating to gitee.com:22 as 'git'
# 第二阶段, 双方确认/支持使用的 数据加密算法 ,消息摘要算法,主机公钥等信息.
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:+ULzij2u99B9eWYFTw1Q4ErYG/aepHLbu96PAUCoV88
# 查找到 host
debug1: Host 'gitee.com' is known and matches the ED25519 host key.
debug1: Found key in /Users/rys/.ssh/known_hosts:2
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 7 keys
debug1: Will attempt key: /Users/rys/.ssh/id_rsa RSA SHA256:4Y5v1pCFjjECXyHOjsvG+Vf3uyVFG1mWIUi2HRKDXBg explicit
debug1: SSH2_MSG_EXT_INFO received
-----------------------------------------------------------
# server-signature-algorithm server端支持的签名算法
debug1: kex_input_ext_info: server-sig-algs=<
ssh-rsa,
rsa-sha2-256,
rsa-sha2-512,
ssh-dss,
ecdsa-sha2-nistp256,
ecdsa-sha2-nistp384,
ecdsa-sha2-nistp521,
sk-ecdsa-sha2-nistp256@openssh.com,
ssh-ed25519,
sk-ssh-ed25519@openssh.com,
ssh-rsa-cert-v01@openssh.com,
ssh-dss-cert-v01@openssh.com,
ecdsa-sha2-nistp256-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
sk-ssh-ed25519-cert-v01@openssh.com>
--------------------------------------------------------
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/rys/.ssh/id_rsa RSA SHA256:4Y5v1pCFjjECXyHOjsvG+Vf3uyVFG1mWIUi2HRKDXBg explicit
debug1: Server accepts key: /Users/rys/.ssh/id_rsa RSA SHA256:4Y5v1pCFjjECXyHOjsvG+Vf3uyVFG1mWIUi2HRKDXBg explicit
Authenticated to gitee.com ([212.64.63.215]:22) using "publickey".
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
Hi rys! You have successfully authenticated, but GITEE.COM does not provide shell access.
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3128, received 2040 bytes, in 0.1 seconds
Bytes per second: sent 27818.0, received 18142.2
debug1: Exit status 0
现状:
github.com/gitee.com 在升级系统后,通过 rsa 加密的密钥对,依旧适用;
唯独 git.****.com 没有匹配的算法,协商失败
解决问题的重点来了:
了解了现状后,让我们看看在这过程中发生了什么呢?
客户端与服务器端在建立连接后会对两者之间报文传输的加密算法进行协商。
协商过程中,客户端向服务器端发送加密算法。服务器端将客户端发过来的加密算法与自身的加密算法列表进行对比,选择客户端与自己相匹配的第一个加密算法作为报文传输的加密算法。
如果客户端的加密算法列表与服务器端的加密算法列表没有相匹配的算法,则协商失败。
既然是没有合适的加密算法,那就应该配置SSH服务器的加密算法。
解决方法
macOS Ventura 使用 ssh/git 等无法正常使用的问题
除了文章展示的 两种解决方式后;
我觉得最优解是 配置 ssh 服务器的加密算法,使其兼容更多的方式
拓展
- 详解
known_hosts格式 :ip/域名 签名算法 host-key - 详解
id_**(PRIVATE KEY),id_**.pub(public KEY) (** 为签名算法)
遇到问题:
Received disconnect from 212.64.63.190 port 22:2: too many authentication failures
解决方法 在config 配置里,添加下面一行,如图所示:
IdentitiesOnly yes
- 执行
ssh -Tv git@github.com时,输出kex_exchange_identification: Connection closed by remote host Connection closed by 140.82.112.4 port 443因为 wall 的原因,解决方式就是 去这个网站 lookup github ip 找到 合适的ip; 或者开代理软件
sudo vim /etc/hosts
// 添加下边一行即可
140.82.114.4 github.com
ed25519 VS rsa
rsa 是目前兼容性最好的,应用最广泛的key类型,在用ssh-keygen工具生成key的时候,默认使用的也是这种类型。不过在生成key时,如果指定的key size太小的话,也是有安全问题的,推荐key size是3072或更大。
ed25519 是目前最安全、加解密速度最快的key类型,由于其数学特性,它的key的长度比rsa小很多,优先推荐使用。它目前唯一的问题就是兼容性,即在旧版本的ssh工具集中可能无法使用。
ssh -Tv git@*******.com
--------------------- 采用 ed25519 加密算法 -------------------
debug1: Will attempt key: /Users/rys/.ssh/id_ed25519 ED25519
Welcome to GitLab, @*******!
Transferred: sent 2148, received 2704 bytes, in 0.1 seconds
Bytes per second: sent 22604.8, received 28456.0
debug1: Exit status 0
--------------------- 采用 rsa 加密算法 -------------------
debug1: Will attempt key: /Users/rys/.ssh/id_rsa RSA
Welcome to GitLab, @********!
Transferred: sent 3172, received 3056 bytes, in 0.4 seconds
Bytes per second: sent 7391.9, received 7121.6
从 Transferred 可以明显看出 ed25519 加密算法要快与 rsa 算法;
再总结一下:
如果可以的话,优先选择 ed25519,否则选择 rsa。
总结
遇到这种问题,并不能归结于系统或者版本问题;知其所以然,了解了问题的本质,问题迎刃而解;
参考文章:
- 解决 macOS Ventura 使用 ssh/git 等无法正常使用的问题 | Cafeting (likfe.com)
- 生成/添加SSH公钥 - Gitee.com
- http和ssh协议 - Network Guide (zj-network-guide.readthedocs.io)
- ssh key类型这么多,要如何选择呢? - 腾讯云开发者社区-腾讯云 (tencent.com)
- 11.x项目配置指南模板 (ruijie.com.cn)
- ssh 配置文件讲解大全 ssh调试模式 sftp scp strace进行调试 特权分离 - LiuYanYGZ - 博客园 (cnblogs.com)
