AWS CodeCommit升级到Ubuntu 22.04（Jammy）后，无法通过SSH进行身份验证

发布于 2025-01-24 19:59:59 字数 1657 浏览 0 评论 0原文

我刚刚将桌面升级到Ubuntu 22.04。当我尝试在AWS CodeCommit上推到我的一个git存储库（使用SSH）时，我会得到：

$ git push origin master
Unable to negotiate with 52.94.226.180 port 22: no matching host key type found. Their offer: ssh-rsa
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

如果我在使用以前版本的Ubuntu的计算机上尝试相同的内容，使用相同的键和SSH配置，则推动成功：

$ git push origin master
[master 879fbb1] -
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100755 Blah.pdf
To ssh://git-codecommit.us-east-1.amazonaws.com/v1/repos/my_repo
   e360ec8..879fbb1  master -> master

我在〜/.ssh/config中的条目中添加了hostkeyalgorithms +ssh-rsa，所以看起来像这样：

Host git-codecommit.*.amazonaws.com
  HostKeyAlgorithms +ssh-rsa
  IdentityFile ~/.ssh/codecommit_rsa
  User XXXXXXXX

现在我遇到了一个不同的错误：

$ git push origin master
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

也许这可能会有所帮助？

$ sudo scanssh -s ssh 52.94.226.180
52.94.226.180:22 SSH-2.0-AWSCodeCommit VGh1LCAyOCBBcHIgMjAyMiAyMDozOToyMSArMDAwMFRE84lk14QcsWNrhwqxNLNmRuhBFhi2T0uc9R+6yS0sQklQWVZaOGpobGJHYWdvUER3MHhUVTYzY3c5SzlXSEFNOTRYNWdKMW0yY3M9
Effective host scan rate: 1.02 hosts/s

原文

I just upgraded my desktop to Ubuntu 22.04. When I attempt to push to one of my git repos on AWS CodeCommit (using ssh) I get:

$ git push origin master
Unable to negotiate with 52.94.226.180 port 22: no matching host key type found. Their offer: ssh-rsa
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

If I try the same thing on a computer that uses the previous version of Ubuntu, using the same keys and ssh configuration, the push succeeds:

$ git push origin master
[master 879fbb1] -
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100755 Blah.pdf
To ssh://git-codecommit.us-east-1.amazonaws.com/v1/repos/my_repo
   e360ec8..879fbb1  master -> master

I added HostKeyAlgorithms +ssh-rsa to the entry in ~/.ssh/config, so it looks like this:

Host git-codecommit.*.amazonaws.com
  HostKeyAlgorithms +ssh-rsa
  IdentityFile ~/.ssh/codecommit_rsa
  User XXXXXXXX

Now I get a different error:

$ git push origin master
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Maybe this might help?

$ sudo scanssh -s ssh 52.94.226.180
52.94.226.180:22 SSH-2.0-AWSCodeCommit VGh1LCAyOCBBcHIgMjAyMiAyMDozOToyMSArMDAwMFRE84lk14QcsWNrhwqxNLNmRuhBFhi2T0uc9R+6yS0sQklQWVZaOGpobGJHYWdvUER3MHhUVTYzY3c5SzlXSEFNOTRYNWdKMW0yY3M9
Effective host scan rate: 1.02 hosts/s

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

海螺姑娘 2025-01-31 19:59:59

将行PubKeyAcceptedKeykeyTypes +ssh-rsa以及您的输入到您的〜/.ssh/config，因此看起来像这样：

Host git-codecommit.*.amazonaws.com
  IdentityFile ~/.ssh/codecommit_rsa
  User XXXXXXXX
  HostKeyAlgorithms +ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa

有关此问题的更多信息：

ubuntu 22.04带有新版本的SSH（OpenSSH8.9P1）的船只，而先前的Ubuntu版本使用了OpenSSH8.4P1或以上。

OpenSSH8.8P1发生了破坏的变化，默认情况下，使用SHA-1哈希算法禁用RSA签名。

来自 openssh发行说明

此版本使用SHA-1哈希算法禁用RSA签名
默认情况下。此更改已进行，因为SHA-1哈希算法是
密码损坏，并且可以创建选定的前缀
哈希碰撞50k $ 50k [1]
对于大多数用户，此更改应该是看不见的，并且有
无需替换SSH-RSA键。 Openssh支持RFC8332
自版7.2和现有SSH-RSA键以来，RSA/SHA-256/512签名
在可能的情况下将自动使用较强的算法。
连接到较旧的SSH时，不兼容更有可能
尚未升级或尚未仔细跟踪的实现
SSH协议的改进。对于这些情况，可能有必要
有选择地重新启用RSA/SHA1以允许连接和/或用户
通过hostKeyalgorithm和pubkeyacceppedalgorithms的身份验证
选项。例如，以下〜/.ssh/config中的以下节将启用
单个目的地主机的主机和用户身份验证的RSA/SHA1：
 主机老主持人
    HOSTKEYALGORITHM +SSH-RSA
    PubKeyAcceptedalgorithms +SSH-RSA
 
我们建议仅启用RSA/SHA1作为定格措施，直到遗产
实现可以升级或重新配置与另一种密钥类型
（例如ECDA或ED25519）。
[1]
应用于PGP信托网络“ Leurent，G和Peyrin，T
（2020） https://eprint.iacr.org/2020/2020/014.pdf

Add the line PubkeyAcceptedKeyTypes +ssh-rsa as well to your entry to your ~/.ssh/config, so it looks like this:

Host git-codecommit.*.amazonaws.com
  IdentityFile ~/.ssh/codecommit_rsa
  User XXXXXXXX
  HostKeyAlgorithms +ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa

More Information about the issue:

Ubuntu 22.04 ships with a new version of ssh (OpenSSH8.9p1), while the previous ubuntu versions used OpenSSH8.4p1 or older.

There is a breaking change in OpenSSH8.8p1 which disables RSA signatures using SHA-1 Hash algorithm by default.

From OpenSSH Release Notes

This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.
Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:
Host old-host
    HostkeyAlgorithms +ssh-rsa
    PubkeyAcceptedAlgorithms +ssh-rsa
We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf