ssh-rsa身份认证失败”no matching host key type found. Their offer: ssh-rsa”
某日,我笔记本的Debian进行了大版本升级,然后当我尝试ssh到服务器时提示我身份认证失败,错误信息为:no matching host key type found. Their offer: ssh-rsa
原来,从openssh 8.8 开始,默认 禁用了使用SHA-1算法的RSA密钥。
1 2 3 4 5 6 7 8 9 10 11 12 13 OpenSSH 8.8 was released on 2021-09-26. It is available from the mirrors listed at https://www.openssh.com/. ... ... Potentially-incompatible changes ================================ This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for <USD$50K [1]
上文大意为因为SHA-1希哈算法可以被爆力破解了,所以自此版本(8.8)开始默认禁用使用了SHA-1算法的RSA密钥。
重新启用ssh-RSA认证 如果服务器端的SSH只支持ssh-RSA认证,那么我们只能重新启用它。
在openssh 8.8 的README中,给出了重新启用RSA密钥的方法,如下:
1 2 3 4 5 6 7 8 9 Host haven200 HostName haven200.com HostKeyAlgorithms=+ssh-rsa PubkeyAcceptedKeyTypes=+ssh-rsa User haven200 Port 22 Protocol 2 SendEnv upnpcv IdentityFile ~/.ssh/haven200_rsa
即使用HostKeyAlgorithms=+ssh-rsa 和PubkeyAcceptedKeyTypes=+ssh-rsa 来重新启用RSA密钥。
升级SSH认证 为了安全,我们使用更安全的ecdsa
密钥来替代RSA密钥进行身份认证。
1 ~$ ssh-keygen -t ecdsa -f ~/.ssh/haven200_ecdsa
References:openssh