Solution to openssh-8.8-p1 update: no matching host key type found. Their offer:...
source link: https://ttys3.dev/post/openssh-8-8-p1-no-matching-host-key-type-found-their-offer-ssh-rsa/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Solution to openssh-8.8-p1 update: no matching host key type found. Their offer: ssh-rsa
2021-09-28
:: 荒野無燈
:: Mod 2021-09-29(f81fb07)
#openssh #ArchLinux #ssh-rsa #troubleshoot #ssh
September 29, 2021
~/.ssh
❯ paru -Ss openssh | rg install
core/openssh 8.8p1-1 [0B 5.90MiB] [Installed]
如果你最近升级到了 openssh 8.8-p1 版, 你会发现连接某些之前连接得好好的服务器突然无法连接:
Unable to negotiate with x.x.x.x port 2222: no matching host key type found. Their offer: ssh-rsa
ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa user@myhost -p 2222
当然, 每次连接敲这么一长串也不太好.
编辑用户 ssh 配置 ~/.ssh/config
, 对于无法成功连接的host, 增加配置项:
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
完整的配置可能看起来像这样:
Host myhost
Hostname 1.1.1.1
User user001
IdentityFile ~/.ssh/id_rsa
# fixup for openssh 8.8
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
或者,像我一样的懒人:
Host *
ServerAliveInterval 10
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
为什么会有这个错误⚓
根据 OpenSSH Release Notes
Future deprecation notice
It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K.
In the SSH protocol, the “ssh-rsa” signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future.
Note that the deactivation of “ssh-rsa” signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, “ssh-rsa” keys are capable of signing using “rsa-sha2-256” (RSA/SHA256), “rsa-sha2-512” (RSA/SHA512) and “ssh-rsa” (RSA/SHA1). Only the last of these is being turned off by default.
也就是说 8.8p1 版的 openssh 的 ssh 客户端默认禁用了 ssh-rsa
算法, 但是对方服务器只支持 ssh-rsa
, 当你不能自己升级远程服务器的 openssh 版本或修改配置让它使用更安全的算法时, 在本地 ssh 针对这些旧的ssh server重新启用 ssh-rsa
也是一种权宜之法.
Refs⚓
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK