创建授权密钥:ssh-keygen -C“your@email.com”-t dsa。公钥发送给git管理员。通过为Windows配置ssh-agent来设置密码短语缓存。该过程在http://help.github.com/ssh-key-passphrases/ Created .bash_profile中描述。现在,如果我使用旧的git 1.9.5(openSSH 6.6.1)在控制台中工作,它只需要一次密码,我可以克隆/拉/取/推,验证是正确的:
$ ssh -vT -p 52967 git@some-repo.com
OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014
debug1: Connecting to some-repo.com [XX.XX.XX.XX] port 52967.
debug1: Connection established.
debug1: identity file /c/Users/MyName/.ssh/id_rsa type -1
debug1: identity file /c/Users/MyName/.ssh/id_rsa-cert type -1
debug1: identity file /c/Users/MyName/.ssh/id_dsa type 2
debug1: identity file /c/Users/MyName/.ssh/id_dsa-cert type -1
debug1: identity file /c/Users/MyName/.ssh/id_ecdsa type -1
debug1: identity file /c/Users/MyName/.ssh/id_ecdsa-cert type -1
debug1: identity file /c/Users/MyName/.ssh/id_ed25519 type -1
debug1: identity file /c/Users/MyName/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debia
n-5ubuntu1.8
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.8 pat OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA aa:a3:0a:32:c2:88:75:a5:5a:c2:05:e6:4b:b1:a0:76
debug1: Host '[some-repo.com]:52967' is known and matches the RSA host
key.
debug1: Found key in /c/Users/MyName/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /c/Users/MyName/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 435
debug1: Authentication succeeded (publickey).
Authenticated to some-repo.com ([XX.XX.XX.XX]:52967).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
hello MyName, this is git@some-repo-svn running gitolite3 v3.2-10-g2741fad on gi
t 1.7.9.5
... Repo list here ...
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3408, received 3792 bytes, in 1.6 seconds
Bytes per second: sent 2108.9, received 2346.5
debug1: Exit status 0
但是,如果我使用现代2.7.1 Git(OpenSSH_7.1),我会收到错误:
$ ssh -vT -p 52967 git@some-repo.com
OpenSSH_7.1p2, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /c/Users/MyName/.ssh/config
debug1: /c/Users/MyName/.ssh/config line 1: Applying options for some-repo.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to some-repo.com [XX.XX.XX.XX] port 52967.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/MyName/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/MyName/.ssh/id_rsa-cert type -1
debug1: identity file /c/Users/MyName/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/MyName/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/MyName/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/MyName/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/MyName/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/MyName/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.8
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.8 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to some-repo.com:52967 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-64@openssh.com none
debug1: kex: client->server aes128-ctr umac-64@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:Zw5XXi0GgafMm6AhcKnNw+GzqkotZwXZYPWrZogG9KQ
debug1: Host '[some-repo.com]:52967' is known and matches the RSA host key.
debug1: Found key in /c/Users/MyName/.ssh/known_hosts:1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Skipping ssh-dss key /c/Users/MyName/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes
debug1: Trying private key: /c/Users/MyName/.ssh/id_rsa
debug1: Trying private key: /c/Users/MyName/.ssh/id_ecdsa
debug1: Trying private key: /c/Users/MyName/.ssh/id_ed25519
debug1: Next authentication method: password
git@some-repo.com's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
git@some-repo.com's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
git@some-repo.com's password:
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
Permission denied (publickey,password).
ssh config包含行:
Host some-repo.com
KexAlgorithms +diffie-hellman-group1-sha1
然而它没有帮助。这里的问题是服务器使用旧的Git(git 1.7上的gitolite3 v3.2-10-g2741fad)/ SSH(OpenSSH_5.9p1),没有理由在客户端上使用最新的Git?
答案 0 :(得分:2)
来自https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html:
从OpenSSH的7.0版开始,支持ssh-dss键 由于其继承的弱点,在运行时默认被禁用 ...
如果您遇到DSA密钥,则可以重新启用支持 在本地更新您的sshd_config和~/.ssh/config文件 像这样的行:PubkeyAcceptedKeyTypes=+ssh-dss请注意,最终OpenSSH将放弃对DSA密钥的支持 完全,所以这只是一个停止差距解决方案。
因此,现在的解决方案是将PubkeyAcceptedKeyTypes=+ssh-dss添加到您的ssh客户端配置。
答案 1 :(得分:0)
(我已经发表评论说这不是答案......但也许是这样)
第二个日志说
debug1: Skipping ssh-dss key /c/Users/MyName/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes
新服务器很可能禁止使用DSA密钥(因为它们太脆弱且过时)。请改用RSA密钥。在这里我使用了4096位... 2048也应该没问题,但在我看来并不是很有前途的证明;请参阅https://www.keylength.com/,了解您的想法。 ssh服务器使用高效的对称密钥来完成大部分工作,因此无论如何它都不是一个重要的性能问题......所以不要担心。生成它只需要更长的时间,这是一次。
ssh-keygen -C “your@email.com” -t rsa -b 4096
即使可以重新配置此服务器,也不要使用DSA密钥...它们是固定长度的1024位,这是今天标准的弱点,已经过时多年了。这些天2048位几乎不够(现在已足够,但未来证明不足)。见https://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys