SSH 密钥登录:not in PubkeyAcceptedKeyTypes

由于每次登录服务器都要输入密码比较麻烦,今天信手拈来:

fanshengshuai >>> ssh-keygen -t dsa                               18-11-20 9:48
Generating public/private dsa key pair.
Enter file in which to save the key (/home/fanshengshuai/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/fanshengshuai/.ssh/id_dsa.
Your public key has been saved in /home/fanshengshuai/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:Drq2qj+9VYIQBvXj9j2BGfHCUNAjcNe70eVTGh48C8c fanshengshuai@archlinux
The key's randomart image is:
+---[DSA 1024]----+
|.o=.+++.   o     |
| . +.+oo. . E .  |
|  . o.+..o * B   |
|   o o =o . *    |
|    + = So   .   |
|   . o *..       |
|   .. o +        |
|  . oo   .       |
|.oo++o           |
+----[SHA256]-----+

等我把 ~/.ssh/id_dsa.pub 内容保存到服务器后,竟然登录不上, ssh -v 之后,发现了这个提示:

debug1: Skipping ssh-dss key /home/fanshengshuai/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes

网上搜索了一下,才知道 OpenSSH 7.0 以上已经默认关闭了 ssh-dss 了,我们看一下我们的 ssh 版本:

fanshengshuai >>> ssh -V                                         18-11-20 10:07
OpenSSH_7.9p1, OpenSSL 1.1.1  11 Sep 2018

已经是 7.9 了,我们用下面的方法把 ssh-dss 打开:

fanshengshuai >>> sudo vim /etc/ssh/ssh_config

注意是 ssh_config,本地的配置文件,不是服务器上的 sshd_config。
找到 # Host * 把注释去掉,然后下面添加一句:PubkeyAcceptedKeyTypes=+ssh-dss,完成后这个样子:

Host *
    PubkeyAcceptedKeyTypes=+ssh-dss

保存以后,就可以用 dsa 登录服务器了。

其实,我们想一下,OpenSSH 为什么放弃了DSA?一定有他的问题,下面是对他的引用:

Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has
been disabled by default at runtime due to their inherit weakness. If
you rely on these key types, you will have to take corrective action or
risk being locked out.

Your best option is to generate new keys using strong algos such as rsa
or ecdsa or ed25519. RSA keys will give you the greatest portability
with other clients/servers while ed25519 will get you the best security
with OpenSSH (but requires recent versions of client & server).

If you are stuck with DSA keys, you can re-enable support locally by
updating your sshd_config and ~/.ssh/config files with lines like so:
PubkeyAcceptedKeyTypes=+ssh-dss

Be aware though that eventually OpenSSH will drop support for DSA keys
entirely, so this is only a stop gap solution.

More details can be found on OpenSSH’s website:
http://www.openssh.com/legacy.html

所以还是尽量选择支持的加密方式为好。

你可能感兴趣的:(Linux,ssh)