type
status
date
slug
summary
tags
category
icon
password
前置条件
- 正确生成并配置本地 ssh rsa 公私钥
- GitLab 中也已经配置了公钥
- 账户有权限访问目标仓库
- MacOS 系统是 Ventura
问题表现
ssh -T [email protected] [email protected]'s password: Permission denied, please try again. [email protected]'s password: Permission denied, please try again. [email protected]'s password: [email protected]: Permission denied (publickey,password).
直接使用 ssh 拉取代码也会遇到相同的问题,需要向我们咨询秘钥。
直观上看这就非常反认知,使用ssh不是公钥直接添加GitLab就可以通讯了吗,为什么还需要密码? 而且这是什么密码(尝试了GitLal账户和RSA秘钥密码都不正确)?
原因分析
通过
ssh -vvv [email protected] 分析连接过程debug1: Local version string SSH-2.0-OpenSSH_9.0 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6
通过上述log可以看到客户端和服务端建立连接之后的 OpenSSH 版本号不一致
debug1: Offering public key: /Users/jake/.ssh/id_rsa RSA SHA256:OyVqGeZW9HcURRFQBGBkTX5adtoQwZ9ibAEXgit___ agent debug1: send_pubkey_test: no mutual signature algorithm
确认支持公钥验证后将本地的 rsa 公钥发送到服务器,发现没有相互都能使用的签名算法,无法建立加密通讯,于是转而使用了备选方案 password
debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password [email protected]'s password:
至于这个密码是什么密码实在是没有查到相关信息,尝试GitLab和RSA秘钥密码都不正确,有朋友了解的话指导下。
根据以上信息基本可以确认是签名算法的兼容问题
查看OpenSSH的版本更新记录,发现OpenSSH在8.8版本禁用了使用SHA-1哈希签名作为RSA的签名算法。
This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for <USD$50K [1] For most users, this change should be invisible and there is no need to replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible. Incompatibility is more likely when connecting to older SSH implementations that have not been upgraded or have not closely tracked improvements in the SSH protocol. For these cases, it may be necessary to selectively re-enable RSA/SHA1 to allow connection and/or user authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms options. For example, the following stanza in ~/.ssh/config will enable RSA/SHA1 for host and user authentication for a single destination host: Host old-host HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa We recommend enabling RSA/SHA1 only as a stopgap measure until legacy implementations can be upgraded or reconfigured with another key type (such as ECDSA or Ed25519).
解决方案
1. 添加兼容方案
实践 openssh release note 中提供的 workaround
- 在
~/.ssh目录下创建 config 文件,如果已经存在则忽略这步
- 在 ~/.ssh/config 文件顶部添加
HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa
- 重新尝试就可以成功连接GitLab
2. 替换加密算法(推荐)
GitLab 中生成的非对称秘钥是
ssh-keygen -o -t rsa -C "[email protected]" -b 4096
而 GitHub中建议生成非对称秘钥算法是
ed25519$ ssh-keygen -t ed25519 -C "[email protected]"
除非系统非常老旧不支持
ed25519 算法才使用$ ssh-keygen -t rsa -b 4096 -C "[email protected]"
将 rsa 秘钥替换成 ed25519 秘钥添加到 GitLab ,通过验证可以正常通讯
debug1: Offering public key: /Users/jake/.ssh/id_ed25519 ED25519 SHA256:CV5xWrRplYKEbPL500I8V4aBffTz9VsXWPIasxg9___ debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: /Users/jake/.ssh/id_ed25519 ED25519 SHA256:CV5xWrRplYKEbPL500I8V4aBffTz9VsXWPIasxg9zHQ debug3: sign_and_send_pubkey: using publickey with ED25519 SHA256:CV5xWrRplYKEbPL500I8V4aBffTz9VsXWPIasxg9___ debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:CV5xWrRplYKEbPL500I8V4aBffTz9VsXWPIasxg9___ debug3: send packet: type 50 debug3: receive packet: type 52
实践
- 生成 ed25519 秘钥
$ ssh-keygen -t ed25519 -C "[email protected]"
- 在 .ssh 目录下复制 id_ed25519.pub中的内容,添加到GitLab
$ ssh -T [email protected] Welcome to GitLab, @jake!
