1. 缘起与快速解决办法
1.1 现象表现
昨天将自己的MBP升级到了Ventura。再用ssh连接服务器(ubuntu20.04)的时候,直接报错了。
ssh xx
yy@xx, Permission denied (publickey)
为了方便,我配置了免密码登陆,在~/.ssh/config
中配置了如下信息:
Host xx
HostName xx
User yy
ServerAliveInterval 20
ServerAliveCountMax 999
1.2 快速解决办法
在mac上配置 ~/.ssh/config
,添加两行:
Host xx
HostName xx
User yy
ServerAliveInterval 20
ServerAliveCountMax 999
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
2. 排解过程说明
感觉很奇怪,升级之前一直是好好的。于是添加了debug的信息,在客户端(MacOS)上运行ssh:
➜ ~ ssh tenet -vvv
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/chinglin/.ssh/config
debug1: /Users/chinglin/.ssh/config line 89: Applying options for tenet
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/chinglin/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/chinglin/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to xx port 22.
debug1: Connection established.
debug1: identity file /Users/chinglin/.ssh/id_rsa type 0
debug1: identity file /Users/chinglin/.ssh/id_rsa-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_ecdsa type -1
debug1: identity file /Users/chinglin/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/chinglin/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_ed25519 type -1
debug1: identity file /Users/chinglin/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/chinglin/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_xmss type -1
debug1: identity file /Users/chinglin/.ssh/id_xmss-cert type -1
debug1: identity file /Users/chinglin/.ssh/id_dsa type -1
debug1: identity file /Users/chinglin/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version Go
debug1: compat_banner: no match: Go
debug3: fd 5 is O_NONBLOCK
debug1: Authenticating to xx:22 as 'yy'
debug3: record_hostkey: found key type RSA in file /Users/chinglin/.ssh/known_hosts:12
debug3: load_hostkeys_file: loaded 1 keys from xx
debug1: load_hostkeys: fopen /Users/chinglin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-256,rsa-sha2-512,ssh-rsa
debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:QsAZ/hhTE4sWJRFfZPQaoANh5UT1Io3KXkpRVm2TP64
debug3: record_hostkey: found key type RSA in file /Users/chinglin/.ssh/known_hosts:12
debug3: load_hostkeys_file: loaded 1 keys from xx
debug1: load_hostkeys: fopen /Users/chinglin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'xx' is known and matches the RSA host key.
debug1: Found key in /Users/chinglin/.ssh/known_hosts:12
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /Users/chinglin/.ssh/id_rsa RSA SHA256:NtRGcC/eAf+59Muf5HQM6t8pKXJL6a/MVAjCIizguvc
debug1: Will attempt key: /Users/chinglin/.ssh/id_ecdsa
debug1: Will attempt key: /Users/chinglin/.ssh/id_ecdsa_sk
debug1: Will attempt key: /Users/chinglin/.ssh/id_ed25519
debug1: Will attempt key: /Users/chinglin/.ssh/id_ed25519_sk
debug1: Will attempt key: /Users/chinglin/.ssh/id_xmss
debug1: Will attempt key: /Users/chinglin/.ssh/id_dsa
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/chinglin/.ssh/id_rsa RSA SHA256:XYXYXYXYXYXYXY(replaced with random value)
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /Users/chinglin/.ssh/id_ecdsa
debug3: no such identity: /Users/chinglin/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /Users/chinglin/.ssh/id_ecdsa_sk
debug3: no such identity: /Users/chinglin/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /Users/chinglin/.ssh/id_ed25519
debug3: no such identity: /Users/chinglin/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /Users/chinglin/.ssh/id_ed25519_sk
debug3: no such identity: /Users/chinglin/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /Users/chinglin/.ssh/id_xmss
debug3: no such identity: /Users/chinglin/.ssh/id_xmss: No such file or directory
debug1: Trying private key: /Users/chinglin/.ssh/id_dsa
debug3: no such identity: /Users/chinglin/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
yy@xx: Permission denied (publickey).
也没有看出什么问题。这里出问题的服务器是ubuntu20.04。好在我还有其服务器:
- Rocky Linux 9 成功
- Ubuntu 18.04 挂掉
但是这个Ubuntu18.04在挂掉的时候,却提供了如下信息:
Unable to negotiate with ww.xx.yy.zz port 22: no matching host key type found. Their offer: ssh-rsa
突然想到,可能是mac的ssh客户端升级了,导致对某些加密认证的办法不兼容。
最近这些工具(ssh)在各个发行版之间的升级都比较激进,而ubuntu18.04感觉来自古代。
顺着这个思路,在stackoverflow找到了说法。
Unable to negotiate with 40.74.28.9 port 22: no matching host key type found. Their offer: ssh-rsa
核心意思是说,ssh-rsa
的算法有很多,要指定某一个ssh算法。应该在mac的ssh config中添加如下配置:
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
果然添加之后,就可以正常访问了。但是真实的原因是:
mac os Ventura升级了ssh到9.0,ssl到3.3.6
# on my mac
➜ ~ sshd --help
sshd: illegal option -- -
OpenSSH_9.0p1, LibreSSL 3.3.6
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-o option] [-p port] [-u len]
而服务器上的sshd还是老版本
# on my server
➜ ~ sshd -v
unknown option -- v
OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-o option] [-p port] [-u len]
就是服务器上的老版本ssh和ssl不能很好的和mac上的新版本ssh和ssl交互,需要在mac上添加一些兼容老版本的参数。