Poison

OpenSSH

发表于

OpenSSH 8.8 存在不兼容的改动,导致 macOS 升级至 Ventura 后因 macOS 上的 OpenSSH 版本升级至了 9.0 后当连接的服务端 OpenSSH 版本为低版本(如:6.6.1)时 SSH 连接时无可互用的签名算法导致提示输入密码(服务端允许密码登录时)或者直接提示 Permission denied, please try again.(服务端不允许密码登录时)。如果使用 verbose 模式查看 ssh 时的 debug 信息,可以发现如下输出:

1
2
3
4
5
6
7
8
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /Users/Poison/.ssh/id_ecdsa
debug1: Trying private key: /Users/Poison/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/Poison/.ssh/id_ed25519
debug1: Trying private key: /Users/Poison/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/Poison/.ssh/id_xmss
debug1: Trying private key: /Users/Poison/.ssh/id_dsa
debug1: Next authentication method: password

建议的解决方案为升级服务端的 OpenSSH 版本,如果实在无法升级,则推荐修改客户端 ssh 配置临时启用使用 SHA-1 哈希算法的 RSA 签名。OpenSSH 8.8 Release 文档中关于此部分的描述如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Potentially-incompatible changes
================================

This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]

For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.

Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:

    Host old-host
        HostkeyAlgorithms +ssh-rsa
        PubkeyAcceptedAlgorithms +ssh-rsa

We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf
Reference

OpenSSH - release 8.8
ssh(1) - Linux manual page