解决 ssh 找不到对应主机密钥类型
Posted 程序员翔仔
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了解决 ssh 找不到对应主机密钥类型相关的知识,希望对你有一定的参考价值。
如果最近升级到了 openssh 8.8 版,你会发现连接某些之前连接得好好的服务器突然无法连接。
解决办法
如果最近升级到了 openssh 8.8 版,你会发现连接某些之前连接得好好的服务器突然无法连接:
Unable to negotiate with x.x.x.x port 2222: no matching host key type found. Their offer: ssh-rsa
解决办法是 ssh 命令指定算法:
ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa user@host -p 2222
上面比较麻烦,可以修改 ssh 配置文件 ~/.ssh/config
,对于无法成功连接的 host,增加以下配置项:
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
完整的配置如下:
Host jump
Port 2222
HostName x.x.x.x
User ***
IdentityFile ~/.ssh/id_rsa
UseKeychain yes
AddKeysToAgent yes
PreferredAuthentications publickey
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
问题原因
根据 OpenSSH 8.8 Release Notes 信息:
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.
Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:
Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).
从这里可以知道,从 openssh 8.8 版本开始默认禁用了 ssh-rsa 算法,对于大部分情况,这次的更改是无感知的,当服务器仅支持 ssh-rsa 算法时才会出现不兼容的情况。
本地启用 RSA/SHA1 支持仅仅只是一种权宜之计,官方建议是升级密钥算法或使用另一种密钥算法(例如 ECDSA 或 Ed25519 算法)。
以上是关于解决 ssh 找不到对应主机密钥类型的主要内容,如果未能解决你的问题,请参考以下文章
Git 错误:无法与 XX.XX.XXX.XXX 协商:找不到匹配的主机密钥类型。他们的提议:ssh-dss [重复]
Gitlab 自动部署已停止工作,服务器日志中出现“找不到匹配的主机密钥类型”错误
Paramiko 在 Windows 上找不到来自 ssh-agent 的密钥