Git Bash - ssh 连接问题
Git Bash - ssh connection issue
环境:
OS: Windows-10
Git Bash Version: 2.33.1
OpenSSH_8.8p1, OpenSSL 1.1.1l 24 Aug 2021
$ which ssh
/usr/bin/ssh
SSH 连接到 Gerrit 错误:-
$ ssh -p 29418 user@gerrit.example.com
Unable to negotiate with gerrit.example.com port 29418: no matching host key type found. Their offer: ssh-rsa,ssh-dss
在 Git-2.32.0 中,到 gerrit 的 ssh 连接有效。最新的 git 版本是否启用了任何限制?
Git For Windows 2.33.1 comes with OpenSSH 8.8 默认禁用使用 SHA-1 哈希算法的 RSA 签名。
For most users, this change should be invisible and there is
no need to replace ssh-rsa keys.
OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.
Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol.
For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options.
For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:
Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
注意:Git for Windows 2.34.0 不会在 SSH 前端带来任何新的 element/evolution。
Stefan Prodan (DX @weaveworks, creator of http://flagger.app and maintainer of http://fluxcd.io) mentions in this tweet:
GitHub has changed its host keys
If you're using @fluxcd please see here how to update the known hosts keys on your Kubernetes clusters.
Stefan 指的是 fluxcd/flux2 discussion 2097:
GitHub has changed its SSH host keys from RSA to ECDSA!
To fix the key mismatch error, you have two options:
- Update the
known_hosts in the flux-system secret with the ecdsa-sha2-nistp25 value:
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
- Or rotate the SSH keys with flux boostrap like so:
- delete the deploy key secret from your cluster
kubectl -n flux-system delete secret flux-system
- rerun
flux bootstrap github with the same arguments as before
Flux will generate the secret with ecdsa-sha2 SSH key and Host key
More details on fluxcd/source-controller#490
注:since Jan. 2022, the GitHub SSH Host key are available through a metadata endpoint api.github.com/meta.
这包括 github.com ecdsa-sha2-nistp256 值。
环境:
OS: Windows-10
Git Bash Version: 2.33.1
OpenSSH_8.8p1, OpenSSL 1.1.1l 24 Aug 2021
$ which ssh
/usr/bin/ssh
SSH 连接到 Gerrit 错误:-
$ ssh -p 29418 user@gerrit.example.com
Unable to negotiate with gerrit.example.com port 29418: no matching host key type found. Their offer: ssh-rsa,ssh-dss
在 Git-2.32.0 中,到 gerrit 的 ssh 连接有效。最新的 git 版本是否启用了任何限制?
Git For Windows 2.33.1 comes with OpenSSH 8.8 默认禁用使用 SHA-1 哈希算法的 RSA 签名。
For most users, this change should be invisible and there is no need to replace ssh-rsa keys.
OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible.Incompatibility is more likely when connecting to older SSH implementations that have not been upgraded or have not closely tracked improvements in the SSH protocol.
For these cases, it may be necessary to selectively re-enable RSA/SHA1 to allow connection and/or user authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms options.
For example, the following stanza in ~/.ssh/config will enable RSA/SHA1 for host and user authentication for a single destination host:Host old-host HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa
注意:Git for Windows 2.34.0 不会在 SSH 前端带来任何新的 element/evolution。
Stefan Prodan (DX @weaveworks, creator of http://flagger.app and maintainer of http://fluxcd.io) mentions in this tweet:
GitHub has changed its host keys
If you're using @fluxcd please see here how to update the known hosts keys on your Kubernetes clusters.
Stefan 指的是 fluxcd/flux2 discussion 2097:
GitHub has changed its SSH host keys from RSA to ECDSA!
To fix the key mismatch error, you have two options:
- Update the
known_hostsin the flux-system secret with the ecdsa-sha2-nistp25 value:
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
- Or rotate the SSH keys with flux boostrap like so:
- delete the deploy key secret from your cluster
kubectl -n flux-system delete secret flux-system- rerun
flux bootstrap githubwith the same arguments as beforeFlux will generate the secret with ecdsa-sha2 SSH key and Host key
More details on
fluxcd/source-controller#490
注:since Jan. 2022, the GitHub SSH Host key are available through a metadata endpoint api.github.com/meta.
这包括 github.com ecdsa-sha2-nistp256 值。