在 Win10 上使用 Git,遇到一个奇怪的问题,ssh -T [email protected] 正常,git clone xxx.git 失败,不得其解。
具体如下:
~$ ssh -T [email protected]
Hi lzimd! You've successfully authenticated, but GITEE.COM does not provide shell access.
~$ git clone [email protected]:xxx/xxxxxx.git
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
排查
网上搜到一贴(sinat_42483341),指出失败的原因可能是 SSH-RSA key 签名算法协商失败。
经排查,使用的 SSH 包为 C:\Windows\System32\OpenSSH 包,版本为 OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2,
git 包为 git-for-windows 2.33.1.windows.1,其内置的 ssh 为 OpenSSH_8.8p1, OpenSSL 1.1.1l 24 Aug 2021。
变化是,OpenSSH 8.8 默认禁用 ssh-rsa.
而 GitHub 协商的算法为 rsa-sha2-512,顺利通过。
# gitee
host key algorithms: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
# github
server-sig-algs=<[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
解决方法
- 使用 ECDSA 或 Ed25519。
ssh-keygen -t ed25519 -C "[email protected]" - 临时,PubkeyAcceptedKeyTypes +ssh-rsa
参考
- host key algorithms 和 server-sig-algs
- https://confluence.atlassian.com/bitbucketserverkb/ssh-rsa-key-rejected-with-message-no-mutual-signature-algorithm-1026057701.html
- https://www.openssh.com/txt/release-8.8
- https://datatracker.ietf.org/doc/html/rfc8308
- https://datatracker.ietf.org/doc/html/rfc8332
补充
撞上 pipenv 2021.11.5.post0 的 bug,记录一下。