MacOS 升级到Ventura后无法ssh了,直接报permission denied

最新推荐文章于 2024-05-29 05:07:08 发布
最新推荐文章于 2024-05-29 05:07:08 发布
阅读量1.6k 收藏
点赞数
文章标签: ssh macos 运维
原文链接:https://zhuanlan.zhihu.com/p/382384714
版权

1. 缘起与快速解决办法

1.1 现象表现

昨天将自己的MBP升级到了Ventura。再用ssh连接服务器(ubuntu20.04)的时候,直接报错了。

ssh xx
yy@xx, Permission denied (publickey)

为了方便,我配置了免密码登陆,在~/.ssh/config 中配置了如下信息:

Host xx 
     HostName xx
     User yy
     ServerAliveInterval 20
     ServerAliveCountMax 999

1.2 快速解决办法

在mac上配置 ~/.ssh/config ,添加两行:

Host xx 
    HostName xx
    User yy
    ServerAliveInterval 20
    ServerAliveCountMax 999
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

2. 排解过程说明

感觉很奇怪,升级之前一直是好好的。于是添加了debug的信息,在客户端(MacOS)上运行ssh:

➜  ~ ssh tenet -vvv
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/chinglin/.ssh/config
debug1: /Users/chinglin/.ssh/config line 89: Applying options for tenet
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/chinglin/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/chinglin/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to xx port 22.
debug1: Connection established.
debug1: identity file /Users/chinglin/.ssh/id_rsa type 0
debug1: identity file /Users/chinglin/.ssh/id_rsa-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_ecdsa type -1
debug1: identity file /Users/chinglin/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/chinglin/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_ed25519 type -1
debug1: identity file /Users/chinglin/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/chinglin/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_xmss type -1
debug1: identity file /Users/chinglin/.ssh/id_xmss-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_dsa type -1
debug1: identity file /Users/chinglin/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version Go
debug1: compat_banner: no match: Go
debug3: fd 5 is O_NONBLOCK
debug1: Authenticating to xx:22 as 'yy'
debug3: record_hostkey: found key type RSA in file /Users/chinglin/.ssh/known_hosts:12
debug3: load_hostkeys_file: loaded 1 keys from xx
debug1: load_hostkeys: fopen /Users/chinglin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-256,rsa-sha2-512,ssh-rsa
debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:QsAZ/hhTE4sWJRFfZPQaoANh5UT1Io3KXkpRVm2TP64
debug3: record_hostkey: found key type RSA in file /Users/chinglin/.ssh/known_hosts:12
debug3: load_hostkeys_file: loaded 1 keys from xx
debug1: load_hostkeys: fopen /Users/chinglin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'xx' is known and matches the RSA host key.
debug1: Found key in /Users/chinglin/.ssh/known_hosts:12
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /Users/chinglin/.ssh/id_rsa RSA SHA256:NtRGcC/eAf+59Muf5HQM6t8pKXJL6a/MVAjCIizguvc
debug1: Will attempt key: /Users/chinglin/.ssh/id_ecdsa 
debug1: Will attempt key: /Users/chinglin/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /Users/chinglin/.ssh/id_ed25519 
debug1: Will attempt key: /Users/chinglin/.ssh/id_ed25519_sk 
debug1: Will attempt key: /Users/chinglin/.ssh/id_xmss 
debug1: Will attempt key: /Users/chinglin/.ssh/id_dsa 
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/chinglin/.ssh/id_rsa RSA SHA256:XYXYXYXYXYXYXY(replaced with random value)
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /Users/chinglin/.ssh/id_ecdsa
debug3: no such identity: /Users/chinglin/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /Users/chinglin/.ssh/id_ecdsa_sk
debug3: no such identity: /Users/chinglin/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /Users/chinglin/.ssh/id_ed25519
debug3: no such identity: /Users/chinglin/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /Users/chinglin/.ssh/id_ed25519_sk
debug3: no such identity: /Users/chinglin/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /Users/chinglin/.ssh/id_xmss
debug3: no such identity: /Users/chinglin/.ssh/id_xmss: No such file or directory
debug1: Trying private key: /Users/chinglin/.ssh/id_dsa
debug3: no such identity: /Users/chinglin/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
yy@xx: Permission denied (publickey).

也没有看出什么问题。这里出问题的服务器是ubuntu20.04。好在我还有其服务器:

  • Rocky Linux 9 成功
  • Ubuntu 18.04 挂掉

但是这个Ubuntu18.04在挂掉的时候,却提供了如下信息:

Unable to negotiate with ww.xx.yy.zz port 22: no matching host key type found. Their offer: ssh-rsa

突然想到,可能是mac的ssh客户端升级了,导致对某些加密认证的办法不兼容。

最近这些工具(ssh)在各个发行版之间的升级都比较激进,而ubuntu18.04感觉来自古代。

顺着这个思路,在stackoverflow找到了说法。

Unable to negotiate with 40.74.28.9 port 22: no matching host key type found. Their offer: ssh-rsa

核心意思是说,ssh-rsa 的算法有很多,要指定某一个ssh算法。应该在mac的ssh config中添加如下配置:

    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

果然添加之后,就可以正常访问了。但是真实的原因是:

mac os Ventura升级了ssh到9.0,ssl到3.3.6

# on my mac
➜  ~ sshd --help
sshd: illegal option -- -
OpenSSH_9.0p1, LibreSSL 3.3.6
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-o option] [-p port] [-u len]

而服务器上的sshd还是老版本

# on my server
➜  ~ sshd -v
unknown option -- v
OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f  31 Mar 2020
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-o option] [-p port] [-u len]

就是服务器上的老版本ssh和ssl不能很好的和mac上的新版本ssh和ssl交互,需要在mac上添加一些兼容老版本的参数。

消灭八阿哥
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
macOS 13 Ventura下载地址
06-16
Apple 今日发布了 macOS 的下一个版本,称为macOS Ventura,它具有多项新功能,包括 Stage Manager、Continuity Camera、新的安全更新等。为大家带来macOS 13 Ventura测试版地址下载,想要体验最新的13系统的朋友...
git 常用命令
yonghutwo的专栏
05-07 4125
一、本地操作: 1.其它 git init:初始化本地库 git status:查看工作区、暂存区的状态 git add <file name>:将工作区的“新建/修改”添加到暂存区 git rm --cached <file name>:移除暂存区的修改 git commit <file name>:将暂存区的内容提交到本地库   tip:需要再......
ssh连接错: WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!Host key verification failed.
这里是和风coding的博客
02-06 819
解决办法: 由于远程主机的密钥已经发生了变化,可能是由于服务器重新安装了 SSH 或其他原因,本地的 known_hosts 文件中保存的公钥信息不再匹配。为了解决这个问题,只需要清理本地 known_hosts 文件,使其不包含旧的公钥信息即可
解决在Mac下使用npm错:Error: EACCES: permission denied
最新发布
小小的花园里面挖呀挖呀~
05-29 1055
原因说明:没有足够的权限在 /usr/local/lib/node_modules 目录下创建文件夹这个错误表明你在安装或更新 Vue.js(@vue)包时,没有足够的权限在 /usr/local/lib/node_modules 目录下创建文件夹。这通常是因为默认情况下,普通用户没有权限在 /usr/local/lib 目录中进行写入操作。
指定私钥来提交代码到Github
机房看门人的博客
03-11 2735
指定私钥来提交代码到Github
SSH 免密登录:普通用户免密配置登录仍需输入密码
予挚之的博客
09-04 3496
(4)A 服务器尝试登录 B 服务器(这里还是提示需要输入密码,正常情况下是不需要的)(6)最后排查是普通用户的家目录权限不对导致。(2)复制密钥文件到 B 服务器。(3)查看 B 服务器写入信息。(5)正常与异常情况对比。1.1 A 服务器操作。(7)修改权限后解决。
SSH连接调试:逐行解读SSH -vvv的输出信息
十年运维开发经验的王义杰在此分享自己的知识和经验
09-12 1451
使用ssh -vvv调试SSH连接不仅可以让我们了解SSH连接的内部机制,还能在排查问题时提供有价值的信息。希望通过本文的逐行解读,你能更好地理解SSH连接中的各个环节。这样的信息对于了解SSH的连接机制和故障排查都是非常有用的。希望这篇文章能让你更好地理解SSH连接背后的细节。
macOS 13 Ventura 5K原生动态壁纸
07-02
macOS 13 Ventura 5K原生动态壁纸来啦!让你的电脑桌面变得更大气!
支持安装MacOS Sierra10.12.6 ,可升级到10.13.6
02-03
- MacOS Sierra是苹果公司于2016年推出的操作系统,是继El Capitan后的第13个主要版本。10.12.6是这个系列中的一个更新,主要提供了性能优化、错误修复和安全改进。 - 主要特性包括:Siri首次在桌面版引入,用户...
Thinkpad T460p macos 13 Ventura 黑苹果OC EFI
06-12
【Thinkpad T460p macos 13 Ventura 黑苹果OC EFI】是一个专为Thinkpad T460p笔记本电脑设计的黑苹果(Hackintosh)安装配置,旨在让这款非苹果品牌的硬件设备能够运行最新的macOS操作系统,即macOS 13 Ventura。...
macOS Ventura Beta 描述文件
07-17
抢先体验macOS 13 Ventura Developer Beta!描述文件现在可以下载,打开DMG中的安装包安装即可! 注意:请先使用 Time Machine 备份!测试版系统不稳定,数据无价!
ssh连接问题及解决
py16411的博客
10-09 890
记录ssh连接问题
【调试记录】vscode远程连接问题汇总_failed to set up dynamic port forwarding connectio
2401_83739660的博客
04-14 240
【代码】【调试记录】vscode远程连接问题汇总_failed to set up dynamic port forwarding connectio。
github 配置了公钥依旧提示git@github.com‘s password: Permission denied, please try again. 的解决办法
热门推荐
喻志强的博客
09-24 5万+
给github配置好ssh key后提示 git@github.com's password: Permission denied, please try again. 的解决办法
SSH免密失败并错:no mutual signature algorithm
IT民工金鱼哥,专注运维技术。
09-13 6028
运维要时刻关注漏洞情况并根据现在的版本而进行知识的更新。
Mac ssh Permission denied (publickey). fatal: Could not read from remote repository.
wqn的博客
06-30 1545
新手Mac开发环境配置,sourcetree和bitbucket经历重重问题终于配好了连上了,但是关机重启后发现pull和push操作又不管用了,错: git@bitbucket.org: Permission denied (publickey). fatal: Could not read from remote repository. 检查.ssh/目录下的公钥私钥文件都存在,并且config文件中的配置都没问题,IdentityFile指向对应连接bitbucket的pub文件。 我本地两个s
探索SSH_SK_PROVIDER环境变量及其应用
十年运维开发经验的王义杰在此分享自己的知识和经验
10-10 515
是一个专用的环境变量,其主要任务是指定一个库的路径,该库在加载FIDO认证器宿主密钥时将被使用,从而覆盖默认的内置USB HID支持。换句话说,通过设置环境变量,用户可以自定义SSH密钥加载的处理方式,而不是依赖于SSH的默认配置。
macOS ssh permission denied
07-28
当出现 "macOS ssh permission denied" 错误,有几个可能原因和解决方: 1. 用户名密码错误:请确您输入的用户名和密码是正确的。尝试重新输入用户名和密码,确保大小写匹配。如果您忘记了密码,可以尝试使用其他凭据或重置密码。 2. SSH密钥问题:如果您使用SSH密钥进行身份验证,可能是密钥相关的问题。请确保您的SSH密钥已正确添加到目标主机的授权密钥列表中。您可以尝试重新生成新的SSH密钥对,并将公钥添加到目标主机上。 3. 文件权限问题:确保您具有足够的权限来进行SSH连接。检查目标主机上的文件权限,确保您有权限连接。您可以尝试更改文件和目录的权限,以便您可以访问它们。 4. 防火墙或网络问题:某些防火墙或网络设置可能会阻止SSH连接。请检查您的网络连接和防火墙设置,确保它们允许SSH连接。 5. SSH服务器配置问题:目标主机上的SSH服务器配置可能存在问题。您可以检查SSH服务器配置文件(通常是sshd_config),确保它设置正确并允许您进行连接。 这些是一些常见的解决方案,您可以根据具体情况尝试逐个排除问题。如果问题仍然存在,请提供更多详细信息,以便我能够更好地帮助您解决问题。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值