我长期维护一台旧的 Linux 服务器(CentOS 6.5)。我通过 ssh 使用“pub key auth”访问该 Linux 服务器。
现在我刚刚买了一台新的 Windows(win10 或 11 不确定)笔记本电脑并安装了“Git for win 2.33”,当我像往常一样尝试从新笔记本电脑进行 ssh 时,我得到:
$ ssh -i ~/.ssh/id_rsa.bridge_to_home -p 5122 -vv shaozr@{ip addr}
OpenSSH_8.8p1, OpenSSL 1.1.1m 14 Dec 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 27.115.62.170 is address
debug1: Connecting to 27.115.62.170 [27.115.62.170] port 5122.
debug1: Connection established.
debug1: identity file /c/Users/43141/.ssh/id_rsa.bridge_to_home type -1
debug1: identity file /c/Users/43141/.ssh/id_rsa.bridge_to_home-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: compat_banner: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000002
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to 27.115.62.170:5122 as 'shaozr'
debug1: load_hostkeys: fopen /c/Users/43141/.ssh/known_hosts: No such file or directory
debug1: load_hostkeys: fopen /c/Users/43141/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: MACs ctos: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 27.115.62.170 port 5122: no matching host key type found. Their offer: ssh-rsa,ssh-dss
这很奇怪。
我仍然可以从我的旧 PC 上 ssh 到该 Linux,并且我可以从我的新笔记本电脑上通过 ssh (到著名的 git repo 提供商)进行 git 克隆。
看起来双方都是“ssh OK”,但为什么 CentOS6.6 拒绝我来自“Git for win 2.33”的 id_ras 密钥?
答案1
刚刚在安装了 OpenSSH 9 的新 Windows 机器上工作时遇到了这个问题。事实证明,在 8.something 中,OpenSSH 团队默认禁用了旧的 ssh-rsa 加密算法。 (看https://www.openssh.com/releasenotes.html)
不是服务器拒绝你;而是服务器拒绝你。这是因为你的新客户端不愿意使用 ssh-rsa,这是所有旧的 OpenSSH 守护进程能说话。
您可以指示您的客户重新启用它们,但这是一种解决方法。您将需要升级服务器上的 ssh 守护程序。 ssh-rsa 算法被禁用,因为它们不安全并且很容易被现代硬件破解。
因此,解决方法是在客户端的 $HOME/.ssh/config 中创建一个 ssh 配置文件,并在其中添加如下内容:
Host HOSTNAME
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
将 HOSTNAME 替换为与您要连接的主机名匹配的正则表达式。