• SSH免密失败并报错:no mutual signature algorithm


    🎹 个人简介:大家好,我是 金鱼哥,CSDN运维领域新星创作者,华为云·云享专家,阿里云社区·专家博主
    📚个人资质:CCNA、HCNP、CSNA(网络分析师),软考初级、中级网络工程师、RHCSA、RHCE、RHCA、RHCI、ITIL😜
    💬格言:努力不一定成功,但要想成功就必须努力🔥

    🎈支持我:可点赞👍、可收藏⭐️、可留言📝


    运维要时刻关注漏洞情况并根据现在的版本而进行知识的更新,本例子就是2022年9月8日当天工作所遇到的问题,经过排查和测试后,最终成功解决并了解到更进一步的设置。


    📜免密登录设置失效

    一个老运维,要做免密登录,如果没特殊需求,当然一上来就是直接一条命令 ssh-keygen 噼里啪啦,然后拷贝秘钥 ssh-copy-id 就直接了事,更何况要管控一台新下发的机器(云平台,你懂的),当然是直接运行 ssh-copy-id 就直接完事。

    谁知道一 ssh 测试,就提示要输入密码,啊这,没道理啊,咋会翻车呢?


    📜排查过程

    输入密码能登录到系统,之后查看messages和secure日志,正常得很。

    在这里插入图片描述

    之后查看sshd配置,发现与之前有些不同的配置地方,好像HostKey那里,多了ed25519这样的东西(算法类型)如:

    [root@centos7-3 ~]# vim /etc/ssh/sshd_config
    #Port 22
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    
    # The default requires explicit activation of protocol 1
    #Protocol 2
    
    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key
    
    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 1024
    
    ............
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22

    之后肯定要使用 -vvv 来演示更详细的信息进行进一步排查:

    # ssh  -vvv root@172.16.103.129
    OpenSSH_8.9p1, OpenSSL 1.1.1n  15 Mar 2022
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug2: resolve_canonicalize: hostname 172.16.103.129 is address
    debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts'
    debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2'
    debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
    debug3: ssh_connect_direct: entering
    debug1: Connecting to 172.16.103.129 [172.16.103.129] port 22.
    debug3: set_sock_tos: set socket 3 IP_TOS 0x48
    debug1: Connection established.
    debug1: identity file /root/.ssh/id_rsa type 0
    debug1: identity file /root/.ssh/id_rsa-cert type -1
    debug1: identity file /root/.ssh/id_ecdsa type -1
    debug1: identity file /root/.ssh/id_ecdsa-cert type -1
    debug1: identity file /root/.ssh/id_ecdsa_sk type -1
    debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
    debug1: identity file /root/.ssh/id_ed25519 type -1
    debug1: identity file /root/.ssh/id_ed25519-cert type -1
    debug1: identity file /root/.ssh/id_ed25519_sk type -1
    debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
    debug1: identity file /root/.ssh/id_xmss type -1
    debug1: identity file /root/.ssh/id_xmss-cert type -1
    debug1: identity file /root/.ssh/id_dsa type -1
    debug1: identity file /root/.ssh/id_dsa-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_8.9
    debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
    debug1: compat_banner: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000002
    debug2: fd 3 setting O_NONBLOCK
    debug1: Authenticating to 172.16.103.129:22 as 'root'
    debug3: record_hostkey: found key type ED25519 in file /root/.ssh/known_hosts:10
    debug3: load_hostkeys_file: loaded 1 keys from 172.16.103.129
    debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
    debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
    debug3: send packet: type 20
    debug1: SSH2_MSG_KEXINIT sent
    debug3: receive packet: type 20
    debug1: SSH2_MSG_KEXINIT received
    debug2: local client KEXINIT proposal
    debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
    debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
    debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: compression ctos: none,zlib@openssh.com,zlib
    debug2: compression stoc: none,zlib@openssh.com,zlib
    debug2: languages ctos: 
    debug2: languages stoc: 
    debug2: first_kex_follows 0 
    debug2: reserved 0 
    debug2: peer server KEXINIT proposal
    debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: host key algorithms: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
    debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: MACs ctos: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: MACs stoc: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: compression ctos: none,zlib@openssh.com
    debug2: compression stoc: none,zlib@openssh.com
    debug2: languages ctos: 
    debug2: languages stoc: 
    debug2: first_kex_follows 0 
    debug2: reserved 0 
    debug1: kex: algorithm: curve25519-sha256@libssh.org
    debug1: kex: host key algorithm: ssh-ed25519
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug3: send packet: type 30
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug3: receive packet: type 31
    debug1: SSH2_MSG_KEX_ECDH_REPLY received
    debug1: Server host key: ssh-ed25519 SHA256:umdF0tnveVEhk5QWECp4Frj8GqPgD1uyjxcmvud8dcg
    debug3: record_hostkey: found key type ED25519 in file /root/.ssh/known_hosts:10
    debug3: load_hostkeys_file: loaded 1 keys from 172.16.103.129
    debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
    debug1: Host '172.16.103.129' is known and matches the ED25519 host key.
    debug1: Found key in /root/.ssh/known_hosts:10
    debug3: send packet: type 21
    debug2: ssh_set_newkeys: mode 1
    debug1: rekey out after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug3: receive packet: type 21
    debug1: SSH2_MSG_NEWKEYS received
    debug2: ssh_set_newkeys: mode 0
    debug1: rekey in after 134217728 blocks
    debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:tFjK6AdypgKDhFpeoC9mZmGOui9TLuPIDxPzBBmJt98
    debug1: Will attempt key: /root/.ssh/id_ecdsa 
    debug1: Will attempt key: /root/.ssh/id_ecdsa_sk 
    debug1: Will attempt key: /root/.ssh/id_ed25519 
    debug1: Will attempt key: /root/.ssh/id_ed25519_sk 
    debug1: Will attempt key: /root/.ssh/id_xmss 
    debug1: Will attempt key: /root/.ssh/id_dsa 
    debug2: pubkey_prepare: done
    debug3: send packet: type 5
    debug3: receive packet: type 6
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug3: send packet: type 50
    debug3: receive packet: type 51
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
    debug3: preferred publickey,keyboard-interactive,password
    debug3: authmethod_lookup publickey
    debug3: remaining preferred: keyboard-interactive,password
    debug3: authmethod_is_enabled publickey
    debug1: Next authentication method: publickey
    debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:tFjK6AdypgKDhFpeoC9mZmGOui9TLuPIDxPzBBmJt98
    debug1: send_pubkey_test: no mutual signature algorithm
    debug1: Trying private key: /root/.ssh/id_ecdsa
    debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
    debug1: Trying private key: /root/.ssh/id_ecdsa_sk
    debug3: no such identity: /root/.ssh/id_ecdsa_sk: No such file or directory
    debug1: Trying private key: /root/.ssh/id_ed25519
    debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
    debug1: Trying private key: /root/.ssh/id_ed25519_sk
    debug3: no such identity: /root/.ssh/id_ed25519_sk: No such file or directory
    debug1: Trying private key: /root/.ssh/id_xmss
    debug3: no such identity: /root/.ssh/id_xmss: No such file or directory
    debug1: Trying private key: /root/.ssh/id_dsa
    debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup password
    debug3: remaining preferred: ,password
    debug3: authmethod_is_enabled password
    debug1: Next authentication method: password
    root@172.16.103.129's password: 
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69
    • 70
    • 71
    • 72
    • 73
    • 74
    • 75
    • 76
    • 77
    • 78
    • 79
    • 80
    • 81
    • 82
    • 83
    • 84
    • 85
    • 86
    • 87
    • 88
    • 89
    • 90
    • 91
    • 92
    • 93
    • 94
    • 95
    • 96
    • 97
    • 98
    • 99
    • 100
    • 101
    • 102
    • 103
    • 104
    • 105
    • 106
    • 107
    • 108
    • 109
    • 110
    • 111
    • 112
    • 113
    • 114
    • 115
    • 116
    • 117
    • 118
    • 119
    • 120
    • 121
    • 122
    • 123
    • 124
    • 125
    • 126
    • 127
    • 128
    • 129
    • 130
    • 131
    • 132

    一看最后中断的过程里,有关键提示:debug1: send_pubkey_test: no mutual signature algorithm ,提示后就开始进行相关尝试,只是都失败了,并 we did not send a packet, disable method

    那就有了排错的初步查找资料了。

    经过查找,其中一篇文章的说明:SSH-RSA key rejected with message "no mutual signature algorithm

    在这里插入图片描述

    文中有一句:任何运行OpenSSH 8.8 或更新版本的系统默认使用 SHA-1 哈希算法禁用 RSA 签名。

    因此,以往我们这些老司机直接的噼里啪啦一条命令,此时已经不再适用了,算法导致旧的RSA签名无效。

    在这里插入图片描述
    在这里插入图片描述


    📜处理方法

    不难看出,解决方法就是生成密钥对时,使用ed25519的算法,这是最佳的处理办法,需要也有临时的处置方法,那就是在ssh时添加对应的选项:-o PubkeyAcceptedKeyTypes=+ssh-rsa ,有些文章还建议添加配置到配置文件,但并不建议这样做,因为既然有漏洞相关,那就用现在的方法。


    📑临时方法

    在ssh时添加对应的选项:-o PubkeyAcceptedKeyTypes=+ssh-rsa

    在这里插入图片描述

    不建议的处置方法,添加配置:

    # vim /etc/ssh/ssh_config
    # 添加以下内容
    PubkeyAcceptedKeyTypes +ssh-rsa
    
    • 1
    • 2
    • 3

    📑最佳方式

    使用ed25519的算法生成密钥,之后再直接复制密钥去对应的机器。

    # ssh-keygen -t ed25519
    Generating public/private ed25519 key pair.
    Enter file in which to save the key (/root/.ssh/id_ed25519): 
    Enter passphrase (empty for no passphrase): 
    Enter same passphrase again: 
    Your identification has been saved in /root/.ssh/id_ed25519.
    Your public key has been saved in /root/.ssh/id_ed25519.pub.
    The key fingerprint is:
    SHA256:m4fsH0mCqg3ovPLwVNQxJHlpmQjMb037iT+Unv0jCQM root@glusternode5
    The key's randomart image is:
    +--[ED25519 256]--+
    | o...+++         |
    |  o ooBo         |
    |   ..=..         |
    |   .o E.         |
    |   .. .+So.      |
    | . . ...B* .     |
    |o o .  +==+.     |
    |++ +   .=.+..    |
    |.== .   .o.o..   |
    +----[SHA256]-----+
    
    # ssh-copy-id root@172.16.103.129
    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_ed25519.pub"
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    root@172.16.103.129's password: 
    
    Number of key(s) added: 1
    
    Now try logging into the machine, with:   "ssh 'root@172.16.103.129'"
    and check to make sure that only the key(s) you wanted were added.
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33

    在这里插入图片描述

    在这里插入图片描述

    最后,当然是直接ssh过去就OK了。


    💡总结

    故障到此已处理完毕,在查阅资料过程中,发现有一些场景是设置 git 中的ssh拉取而出现类似的故障现象,但归因都一致,都是sshd服务的相关设置和运用。

    遇到报错要学会查看日志,利用相关命令参数做debug,抽取关键信息进行搜索和检索。

    扎实的基础有利于排除故障并学习更多的知识和技能,共同努力,好好加油🤪。

    以上就是【金鱼哥】对 此次SSH免密操作所遇故障 的简述和讲解。希望能对看到此文章的小伙伴有所帮助。

    💾日常故障专栏系列:金鱼哥的TroubleShooting

    如果这篇【文章】有帮助到你,希望可以给【金鱼哥】点个赞👍,创作不易,相比官方的陈述,我更喜欢用【通俗易懂】的文笔去讲解每一个知识点。

    如果有对【运维技术】感兴趣,也欢迎关注❤️❤️❤️ 【金鱼哥】❤️❤️❤️,我将会给你带来巨大的【收获与惊喜】💕💕!

  • 相关阅读:
    Linux运维10:scp命令详解
    钉钉开放平台-小程序开发实战(钉钉小程序客户端)
    CSS基础框盒模型:打造炙手可热的网页布局!
    【华为机试真题 JAVA】免单统计-100
    c# .net8 香橙派orangepi + hc-04蓝牙 实例
    Spring boot测试找不到SpringRunner.class的问题
    《数字化与碳中和(园区篇)》报告正式发布,助力加快推进国家“双碳”战略实施
    python 抽象类
    新时代中国企业数字化转型之BI平台建设
    阅读mybatis的源码的思路
  • 原文地址:https://blog.csdn.net/qq_41765918/article/details/126837789