升级到 Ubuntu 22.04 后,AWS CodeCommit 无法通过 ssh 进行身份验证(Jammy)
AWS CodeCommit fails to authenticate via ssh after upgrading to Ubuntu 22.04 (Jammy)
我刚刚将桌面升级到 Ubuntu 22.04。当我尝试推送到 AWS CodeCommit 上的我的 git 存储库之一(使用 ssh)时,我得到:
$ git push origin master
Unable to negotiate with 52.94.226.180 port 22: no matching host key type found. Their offer: ssh-rsa
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
如果我在使用以前版本 Ubuntu 的计算机上尝试相同的操作,使用相同的密钥和 ssh 配置,推送成功:
$ git push origin master
[master 879fbb1] -
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100755 Blah.pdf
To ssh://git-codecommit.us-east-1.amazonaws.com/v1/repos/my_repo
e360ec8..879fbb1 master -> master
我在 ~/.ssh/config 中的条目中添加了 HostKeyAlgorithms +ssh-rsa,所以它看起来像这样:
Host git-codecommit.*.amazonaws.com
HostKeyAlgorithms +ssh-rsa
IdentityFile ~/.ssh/codecommit_rsa
User XXXXXXXX
现在我得到一个不同的错误:
$ git push origin master
APKAIKOVHJDF7L22TRPA@git-codecommit.us-east-1.amazonaws.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
也许这会有所帮助?
$ sudo scanssh -s ssh 52.94.226.180
52.94.226.180:22 SSH-2.0-AWSCodeCommit VGh1LCAyOCBBcHIgMjAyMiAyMDozOToyMSArMDAwMFRE84lk14QcsWNrhwqxNLNmRuhBFhi2T0uc9R+6yS0sQklQWVZaOGpobGJHYWdvUER3MHhUVTYzY3c5SzlXSEFNOTRYNWdKMW0yY3M9
Effective host scan rate: 1.02 hosts/s
将行 PubkeyAcceptedKeyTypes +ssh-rsa 也添加到您的 ~/.ssh/config 条目中,因此它看起来像这样:
Host git-codecommit.*.amazonaws.com
IdentityFile ~/.ssh/codecommit_rsa
User XXXXXXXX
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
有关此问题的更多信息:
Ubuntu 22.04 附带新版本的 ssh (OpenSSH8.9p1),而之前的 ubuntu 版本使用 OpenSSH8.4p1 或更早的版本。
OpenSSH8.8p1 中有一项重大更改,默认情况下禁用使用 SHA-1 哈希算法的 RSA 签名。
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USDK [1]
For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.
Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:
Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf
我刚刚将桌面升级到 Ubuntu 22.04。当我尝试推送到 AWS CodeCommit 上的我的 git 存储库之一(使用 ssh)时,我得到:
$ git push origin master
Unable to negotiate with 52.94.226.180 port 22: no matching host key type found. Their offer: ssh-rsa
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
如果我在使用以前版本 Ubuntu 的计算机上尝试相同的操作,使用相同的密钥和 ssh 配置,推送成功:
$ git push origin master
[master 879fbb1] -
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100755 Blah.pdf
To ssh://git-codecommit.us-east-1.amazonaws.com/v1/repos/my_repo
e360ec8..879fbb1 master -> master
我在 ~/.ssh/config 中的条目中添加了 HostKeyAlgorithms +ssh-rsa,所以它看起来像这样:
Host git-codecommit.*.amazonaws.com
HostKeyAlgorithms +ssh-rsa
IdentityFile ~/.ssh/codecommit_rsa
User XXXXXXXX
现在我得到一个不同的错误:
$ git push origin master
APKAIKOVHJDF7L22TRPA@git-codecommit.us-east-1.amazonaws.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
也许这会有所帮助?
$ sudo scanssh -s ssh 52.94.226.180
52.94.226.180:22 SSH-2.0-AWSCodeCommit VGh1LCAyOCBBcHIgMjAyMiAyMDozOToyMSArMDAwMFRE84lk14QcsWNrhwqxNLNmRuhBFhi2T0uc9R+6yS0sQklQWVZaOGpobGJHYWdvUER3MHhUVTYzY3c5SzlXSEFNOTRYNWdKMW0yY3M9
Effective host scan rate: 1.02 hosts/s
将行 PubkeyAcceptedKeyTypes +ssh-rsa 也添加到您的 ~/.ssh/config 条目中,因此它看起来像这样:
Host git-codecommit.*.amazonaws.com
IdentityFile ~/.ssh/codecommit_rsa
User XXXXXXXX
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
有关此问题的更多信息:
Ubuntu 22.04 附带新版本的 ssh (OpenSSH8.9p1),而之前的 ubuntu 版本使用 OpenSSH8.4p1 或更早的版本。
OpenSSH8.8p1 中有一项重大更改,默认情况下禁用使用 SHA-1 哈希算法的 RSA 签名。
This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for <USDK [1]
For most users, this change should be invisible and there is no need to replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible.
Incompatibility is more likely when connecting to older SSH implementations that have not been upgraded or have not closely tracked improvements in the SSH protocol. For these cases, it may be necessary to selectively re-enable RSA/SHA1 to allow connection and/or user authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms options. For example, the following stanza in ~/.ssh/config will enable RSA/SHA1 for host and user authentication for a single destination host:
Host old-host HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsaWe recommend enabling RSA/SHA1 only as a stopgap measure until legacy implementations can be upgraded or reconfigured with another key type (such as ECDSA or Ed25519).
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf