升级到 Ubuntu 22.04 后,AWS CodeCommit 无法通过 ssh 进行身份验证(Jammy)

AWS CodeCommit fails to authenticate via ssh after upgrading to Ubuntu 22.04 (Jammy)

我刚刚将桌面升级到 Ubuntu 22.04。当我尝试推送到 AWS CodeCommit 上的我的 git 存储库之一(使用 ssh)时,我得到:

$ git push origin master
Unable to negotiate with 52.94.226.180 port 22: no matching host key type found. Their offer: ssh-rsa
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

如果我在使用以前版本 Ubuntu 的计算机上尝试相同的操作,使用相同的密钥和 ssh 配置,推送成功:

$ git push origin master
[master 879fbb1] -
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100755 Blah.pdf
To ssh://git-codecommit.us-east-1.amazonaws.com/v1/repos/my_repo
   e360ec8..879fbb1  master -> master

我在 ~/.ssh/config 中的条目中添加了 HostKeyAlgorithms +ssh-rsa,所以它看起来像这样:

Host git-codecommit.*.amazonaws.com
  HostKeyAlgorithms +ssh-rsa
  IdentityFile ~/.ssh/codecommit_rsa
  User XXXXXXXX

现在我得到一个不同的错误:

$ git push origin master
APKAIKOVHJDF7L22TRPA@git-codecommit.us-east-1.amazonaws.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

也许这会有所帮助?

$ sudo scanssh -s ssh 52.94.226.180
52.94.226.180:22 SSH-2.0-AWSCodeCommit VGh1LCAyOCBBcHIgMjAyMiAyMDozOToyMSArMDAwMFRE84lk14QcsWNrhwqxNLNmRuhBFhi2T0uc9R+6yS0sQklQWVZaOGpobGJHYWdvUER3MHhUVTYzY3c5SzlXSEFNOTRYNWdKMW0yY3M9
Effective host scan rate: 1.02 hosts/s

将行 PubkeyAcceptedKeyTypes +ssh-rsa 也添加到您的 ~/.ssh/config 条目中,因此它看起来像这样:

Host git-codecommit.*.amazonaws.com
  IdentityFile ~/.ssh/codecommit_rsa
  User XXXXXXXX
  HostKeyAlgorithms +ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa

有关此问题的更多信息:

Ubuntu 22.04 附带新版本的 ssh (OpenSSH8.9p1),而之前的 ubuntu 版本使用 OpenSSH8.4p1 或更早的版本。

OpenSSH8.8p1 中有一项重大更改,默认情况下禁用使用 SHA-1 哈希算法的 RSA 签名。

来自OpenSSH Release Notes

This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for <USDK [1]

For most users, this change should be invisible and there is no need to replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible.

Incompatibility is more likely when connecting to older SSH implementations that have not been upgraded or have not closely tracked improvements in the SSH protocol. For these cases, it may be necessary to selectively re-enable RSA/SHA1 to allow connection and/or user authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms options. For example, the following stanza in ~/.ssh/config will enable RSA/SHA1 for host and user authentication for a single destination host:

Host old-host
    HostkeyAlgorithms +ssh-rsa
    PubkeyAcceptedAlgorithms +ssh-rsa

We recommend enabling RSA/SHA1 only as a stopgap measure until legacy implementations can be upgraded or reconfigured with another key type (such as ECDSA or Ed25519).

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf