MacOS 升级到Ventura后无法ssh了,直接报permission denied

1. 缘起与快速解决办法

1.1 现象表现

昨天将自己的MBP升级到了Ventura。再用ssh连接服务器(ubuntu20.04)的时候,直接报错了。

ssh xx
yy@xx, Permission denied (publickey)

为了方便,我配置了免密码登陆,在~/.ssh/config 中配置了如下信息:

Host xx 
     HostName xx
     User yy
     ServerAliveInterval 20
     ServerAliveCountMax 999

1.2 快速解决办法

在mac上配置 ~/.ssh/config ,添加两行:

Host xx 
    HostName xx
    User yy
    ServerAliveInterval 20
    ServerAliveCountMax 999
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

2. 排解过程说明

感觉很奇怪,升级之前一直是好好的。于是添加了debug的信息,在客户端(MacOS)上运行ssh:

➜  ~ ssh tenet -vvv
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/chinglin/.ssh/config
debug1: /Users/chinglin/.ssh/config line 89: Applying options for tenet
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/chinglin/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/chinglin/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to xx port 22.
debug1: Connection established.
debug1: identity file /Users/chinglin/.ssh/id_rsa type 0
debug1: identity file /Users/chinglin/.ssh/id_rsa-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_ecdsa type -1
debug1: identity file /Users/chinglin/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/chinglin/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_ed25519 type -1
debug1: identity file /Users/chinglin/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/chinglin/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_xmss type -1
debug1: identity file /Users/chinglin/.ssh/id_xmss-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_dsa type -1
debug1: identity file /Users/chinglin/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version Go
debug1: compat_banner: no match: Go
debug3: fd 5 is O_NONBLOCK
debug1: Authenticating to xx:22 as 'yy'
debug3: record_hostkey: found key type RSA in file /Users/chinglin/.ssh/known_hosts:12
debug3: load_hostkeys_file: loaded 1 keys from xx
debug1: load_hostkeys: fopen /Users/chinglin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-256,rsa-sha2-512,ssh-rsa
debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:QsAZ/hhTE4sWJRFfZPQaoANh5UT1Io3KXkpRVm2TP64
debug3: record_hostkey: found key type RSA in file /Users/chinglin/.ssh/known_hosts:12
debug3: load_hostkeys_file: loaded 1 keys from xx
debug1: load_hostkeys: fopen /Users/chinglin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'xx' is known and matches the RSA host key.
debug1: Found key in /Users/chinglin/.ssh/known_hosts:12
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /Users/chinglin/.ssh/id_rsa RSA SHA256:NtRGcC/eAf+59Muf5HQM6t8pKXJL6a/MVAjCIizguvc
debug1: Will attempt key: /Users/chinglin/.ssh/id_ecdsa 
debug1: Will attempt key: /Users/chinglin/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /Users/chinglin/.ssh/id_ed25519 
debug1: Will attempt key: /Users/chinglin/.ssh/id_ed25519_sk 
debug1: Will attempt key: /Users/chinglin/.ssh/id_xmss 
debug1: Will attempt key: /Users/chinglin/.ssh/id_dsa 
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/chinglin/.ssh/id_rsa RSA SHA256:XYXYXYXYXYXYXY(replaced with random value)
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /Users/chinglin/.ssh/id_ecdsa
debug3: no such identity: /Users/chinglin/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /Users/chinglin/.ssh/id_ecdsa_sk
debug3: no such identity: /Users/chinglin/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /Users/chinglin/.ssh/id_ed25519
debug3: no such identity: /Users/chinglin/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /Users/chinglin/.ssh/id_ed25519_sk
debug3: no such identity: /Users/chinglin/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /Users/chinglin/.ssh/id_xmss
debug3: no such identity: /Users/chinglin/.ssh/id_xmss: No such file or directory
debug1: Trying private key: /Users/chinglin/.ssh/id_dsa
debug3: no such identity: /Users/chinglin/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
yy@xx: Permission denied (publickey).

也没有看出什么问题。这里出问题的服务器是ubuntu20.04。好在我还有其服务器:

  • Rocky Linux 9 成功
  • Ubuntu 18.04 挂掉

但是这个Ubuntu18.04在挂掉的时候,却提供了如下信息:

Unable to negotiate with ww.xx.yy.zz port 22: no matching host key type found. Their offer: ssh-rsa

突然想到,可能是mac的ssh客户端升级了,导致对某些加密认证的办法不兼容。

最近这些工具(ssh)在各个发行版之间的升级都比较激进,而ubuntu18.04感觉来自古代。

顺着这个思路,在stackoverflow找到了说法。

Unable to negotiate with 40.74.28.9 port 22: no matching host key type found. Their offer: ssh-rsa

核心意思是说,ssh-rsa 的算法有很多,要指定某一个ssh算法。应该在mac的ssh config中添加如下配置:

    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

果然添加之后,就可以正常访问了。但是真实的原因是:

mac os Ventura升级了ssh到9.0,ssl到3.3.6

# on my mac
➜  ~ sshd --help
sshd: illegal option -- -
OpenSSH_9.0p1, LibreSSL 3.3.6
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-o option] [-p port] [-u len]

而服务器上的sshd还是老版本

# on my server
➜  ~ sshd -v
unknown option -- v
OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f  31 Mar 2020
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-o option] [-p port] [-u len]

就是服务器上的老版本ssh和ssl不能很好的和mac上的新版本ssh和ssl交互,需要在mac上添加一些兼容老版本的参数。

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值