在 MacOS Catalina 10.15.5 上使用公钥的 SSH 身份验证失败

【问题标题】:SSH authentication with publickey failed on MacOS Catalina 10.15.5在 MacOS Catalina 10.15.5 上使用公钥的 SSH 身份验证失败
【发布时间】:2020-09-22 23:12:39
【问题描述】:

今天将我的 Macbook 升级到 MacOS Catalina 10.15.5 后,所有 SSH 身份验证突然无法使用公钥并一直要求输入密码。这发生在 git 操作(fetchpullpush 等)和普通的 ssh 命令(如ssh -T user@host)上。

这里是运行ssh -T git@github.com时的日志:

The authenticity of host 'github.com (13.229.188.59)' can't be established.
ECDSA key fingerprint is SHA256:<removed>.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'github.com,13.229.188.59' (ECDSA) to the list of known hosts.
git@github.com's password:

以及运行时的日志ssh -vv git@github.com:

OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/ethanify/.ssh/config
debug1: /Users/ethanify/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to github.com port 22.
debug1: Connection established.
debug1: identity file /Users/ethanify/.ssh/id_rsa type 0
debug1: identity file /Users/ethanify/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8
debug1: match: OpenSSH_5.8 pat OpenSSH_5* compat 0x0c000002
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: MACs ctos: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Gwbn26Gf3nYoWOlYU+zedfN1+/xarK1IGY8Q0hRKn5I
debug1: Host 'github.com' is known and matches the ECDSA host key.
debug1: Found key in /Users/ethanify/.ssh/known_hosts:1
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /Users/ethanify/.ssh/id_rsa RSA SHA256:gjCBKBqeUDLkQTwHEZ8/Nfg+MgQqJfZSKHBvJziCtAw agent
debug1: Will attempt key: /Users/ethanify/.ssh/id_rsa RSA SHA256:r/tGt0RaElw9VBSO5dtXxtH0TvsAkY63MlQe/xnZGlk explicit
debug2: pubkey_prepare: done
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/ethanify/.ssh/id_rsa RSA SHA256:<removed> agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering public key: /Users/ethanify/.ssh/id_rsa RSA SHA256:<removed> explicit
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
git@github.com's password:

~/.ssh/config的内容:

Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_rsa

到目前为止我已经尝试过(但不起作用)的事情:

  • 删除旧的 SSH 密钥并使用 the official instructions from Github 创建新密钥
  • chmoding ~/.ssh 文件夹内容: 
    $ ls -l ~/.ssh
-rw-r--r-- 1 ethanify staff   75 config
-r-------- 1 ethanify staff 3.4K id_rsa
-r--r--r-- 1 ethanify staff  748 id_rsa.pub
-rw-r--r-- 1 ethanify staff  537 known_hosts
  • 生成新的 ED25519 密钥: 
    $ ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "my email"

系统信息:

  • 操作系统:macOS Catalina 10.15.5 19F101 x86_64
  • 主持人:MacBookPro11,5
  • 内核:19.5.0
  • ssh 版本:OpenSSH_8.1p1, LibreSSL 2.7.3

现在我该如何摆脱它?

【问题讨论】:

    标签: git macos ssh macos-catalina public-key


    【解决方案1】:

    GitHub 的官方说明使用的是 rsa 密钥,而不是 ed25519。

    尝试创建一个,无需密码。
    或者至少,check in the Keychain Access.app 为该密钥记录的密码是正确的。

    话虽如此,这是真的there was a but with SSH recently

    问题在于,在 Apple 的 macOS 10.15.4 更新中,released on March 24 尝试使用服务器名称而不是 IP 地址打开到大于 8192 的端口的 SSH 连接不再有效 - 对于某些用户来说最少。

    但这不应该是你的情况(并且是reported fixed with 10.15.5)。

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2014-04-16
      • 2018-09-22
      • 2013-07-08
      • 2014-05-20
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode