升级 Fedora 33 后 ssh 权限被拒绝(公钥)
ssh Permission denied (publickey) after upgrade Fedora 33
我一直在尝试很多关于这个 Stackoverlow 问题的答案,就像我现在问的一样,但仍然无法解决我的问题,我正在尝试通过 ssh 进行克隆,但总是得到 Permission denied (publickey)
当我 运行 GIT_SSH_COMMAND="ssh -vvv" git clone git@bitbucket.org:myusername/my-api.git
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:kkXQOXSRBEiUtuE8AikLLLwbHaxvSc0ojez9YXaGp2A
debug3: hostkeys_foreach: reading file "/home/alienwarepocket/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/alienwarepocket/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from bitbucket.org
debug3: hostkeys_foreach: reading file "/home/alienwarepocket/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/alienwarepocket/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys from 18.205.93.2
debug1: Host 'bitbucket.org' is known and matches the RSA host key.
debug1: Found key in /home/alienwarepocket/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/alienwarepocket/.ssh/id_rsa RSA SHA256:ktMzaalYyvU9Ev1bgELXatabkUkdcT828O0PppnNiV4M explicit agent
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/alienwarepocket/.ssh/id_rsa RSA SHA256:ktMzaalYyvU9Ev1bgELXatabkUkdcT828O0PppnNiV4M explicit agent
debug1: send_pubkey_test: no mutual signature algorithm
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
git@bitbucket.org: Permission denied (publickey).
fatal: Could not read from remote repository.
在我升级 Fedora 33 后,我遇到了这个问题,在 Fedora 32 上没有问题
这可能与“Changes/StrongCryptoSettings2 in Fedora33”
有关
The changes for default policy are:
- Keep only TLS 1.2 (and TLS 1.3 when available) as enabled protocols and move the TLS 1.x, x<=1 to legacy level.
- Require finite field parameters (RSA, Diffie-Hellman) of 2048 and more in the default settings
- Disable SHA1 support for use in signatures (X.509 certificates, TLS, IPSEC handshakes)
上述link的“Upgrade/compatibility impact”部分明确提到:
It may be that the new settings break software that connects to servers which utilize weak algorithms.
Compatibility can be obtained by switching the system to Fedora 32 policy level:
update-crypto-policies --set DEFAULT:FEDORA32
不推荐 不过:如果您可以使用 ed25519,那就更好了。
如Peque's , you can add on your ~/.ssh/config an option initially found in sshd_config
所述
PubkeyAcceptedKeyTypes
Specifies the key types that will be accepted for public key
authentication as a list of comma-separated patterns.
所以如果你不能使用 ed25519,你可以,对于一个特定的主机,允许使用 id_rsa 密钥:
Host aHost
Hostname a.hostname.com
PubkeyAcceptedKeyTypes +ssh-rsa
最后:Double-check升级后您的权限:
~/.ssh 是 775 drwxrwxr-x.~/.ssh/id_rsa 是 600 -rw-------.~/.ssh/id_rsa.pub 是 644 -rw-r--r--.~/.ssh/config 是 600 -rw-------.~/.ssh/authorized_keys 在远程服务器上是 600 -rw-------
但是现在似乎推荐使用 ssh-keygen -t ed25519 键。
@VonC 是的,我升级到fedora 33 运行 进入这个权限问题
运行 以下命令修复了它:
update-crypto-policies --set DEFAULT:FEDORA32
感谢您分享这篇文章
与其全局更改加密策略,不如降级每个主机的安全性。
您可以在 .ssh/config 文件中更新特定旧版主机的配置,方法是添加:
Host legacy.host
PubkeyAcceptedKeyTypes +ssh-rsa
有关详细信息,请查看此 discussion in Bugzilla。
我一直在尝试很多关于这个 Stackoverlow 问题的答案,就像我现在问的一样,但仍然无法解决我的问题,我正在尝试通过 ssh 进行克隆,但总是得到 Permission denied (publickey)
当我 运行 GIT_SSH_COMMAND="ssh -vvv" git clone git@bitbucket.org:myusername/my-api.git
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64
debug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:kkXQOXSRBEiUtuE8AikLLLwbHaxvSc0ojez9YXaGp2A
debug3: hostkeys_foreach: reading file "/home/alienwarepocket/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/alienwarepocket/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from bitbucket.org
debug3: hostkeys_foreach: reading file "/home/alienwarepocket/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/alienwarepocket/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys from 18.205.93.2
debug1: Host 'bitbucket.org' is known and matches the RSA host key.
debug1: Found key in /home/alienwarepocket/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/alienwarepocket/.ssh/id_rsa RSA SHA256:ktMzaalYyvU9Ev1bgELXatabkUkdcT828O0PppnNiV4M explicit agent
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/alienwarepocket/.ssh/id_rsa RSA SHA256:ktMzaalYyvU9Ev1bgELXatabkUkdcT828O0PppnNiV4M explicit agent
debug1: send_pubkey_test: no mutual signature algorithm
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
git@bitbucket.org: Permission denied (publickey).
fatal: Could not read from remote repository.
在我升级 Fedora 33 后,我遇到了这个问题,在 Fedora 32 上没有问题
这可能与“Changes/StrongCryptoSettings2 in Fedora33”
有关The changes for default policy are:
- Keep only TLS 1.2 (and TLS 1.3 when available) as enabled protocols and move the TLS 1.x, x<=1 to legacy level.
- Require finite field parameters (RSA, Diffie-Hellman) of 2048 and more in the default settings
- Disable SHA1 support for use in signatures (X.509 certificates, TLS, IPSEC handshakes)
上述link的“Upgrade/compatibility impact”部分明确提到:
It may be that the new settings break software that connects to servers which utilize weak algorithms.
Compatibility can be obtained by switching the system to Fedora 32 policy level:update-crypto-policies --set DEFAULT:FEDORA32
不推荐 不过:如果您可以使用 ed25519,那就更好了。
如Peque's ~/.ssh/config an option initially found in sshd_config
PubkeyAcceptedKeyTypes
Specifies the key types that will be accepted for public key
authentication as a list of comma-separated patterns.
所以如果你不能使用 ed25519,你可以,对于一个特定的主机,允许使用 id_rsa 密钥:
Host aHost
Hostname a.hostname.com
PubkeyAcceptedKeyTypes +ssh-rsa
最后:Double-check升级后您的权限:
~/.ssh是775drwxrwxr-x.~/.ssh/id_rsa是600-rw-------.~/.ssh/id_rsa.pub是644-rw-r--r--.~/.ssh/config是600-rw-------.~/.ssh/authorized_keys在远程服务器上是600-rw-------
但是现在似乎推荐使用 ssh-keygen -t ed25519 键。
@VonC 是的,我升级到fedora 33 运行 进入这个权限问题
运行 以下命令修复了它:
update-crypto-policies --set DEFAULT:FEDORA32
感谢您分享这篇文章
与其全局更改加密策略,不如降级每个主机的安全性。
您可以在 .ssh/config 文件中更新特定旧版主机的配置,方法是添加:
Host legacy.host
PubkeyAcceptedKeyTypes +ssh-rsa
有关详细信息,请查看此 discussion in Bugzilla。