更新 macOS Ventura后,git操作时报错:
Unable to negotiate with 106.52.*.* port 22: no matching host key type found. Their offer: ssh-rsa
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
原因
经过查证,macOS Ventura 内置使用了 OpenSSH_9.0p1,根据 OpenSSH 发行说明 可以得知,从 OpenSSH 8.8/8.8p1 版本开始,就默认关闭了 ssh-rsa 算法。那么 macOS Ventura 内置使用的 OpenSSH_9.0p1 也是默认关闭了 ssh-rsa 算法。
原文内容如下:
OpenSSH 8.8/8.8p1 (2021-09-26)
Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:
Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).
OpenSSH 8.7/8.7p1 (2021-08-20)
OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.
解决
方案一:重新生成 ed25519 算法的密钥后,更新服务器公钥信息
ssh-keygen -t ed25519
方案二:重新启用 RSA/SHA1【推荐】
打开文件sudo vim /etc/ssh/ssh_config
, 底部添加两行:
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
Host *
SendEnv LANG LC_*
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
评论区