跳至主要内容

DSS 不能用啦!

ssh-dss key not in PubkeyAcceptedKeyTypes

忙里偷闲鼓捣自建基于Jekyll的blog,发现无论如何都不能在心爱的linux里面通过ssh clone新创建的 git repository。

提示如下:

Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

遂坠入无限ssh检查中无法自拔:

  1. ssh-add -l 显示 ssh-keyagent 内容无碍
  2. ssh-keygen -l -f 显示各个key的finger print 看不出错误
  3. 进入windows通过 git bash clone 失败,遂发现 windows 中 plink 太久未用,已经生锈。不认识 github 的 host key。用 putty github.com 弹出的新host key 对话框确认了事。
  4. windows下终于clone成功。
  5. 再次尝试将 windows 下的ppk导出为openssh格式,遂发现几年前曾经有一份导出的 key 躺在那里……
  6. 各种折腾之后拷贝的key诺到了linux中,以为万事大吉,结果,结果,结果虽然 diff -u 显示新来的 key 是新的,但是ssh-keygen -l -f 说他们两个是一样的……
  7. 无奈出下下策 ssh -vvvv git@github.com,一阵垃圾滚屏过后终于发现
debug1: Skipping ssh-dss key /home/fktpp/.ssh/fktpp.openssh - not in PubkeyAcceptedKeyTypes

Google 说 (keyword: Skipping ssh-dss key not in PubkeyAcceptedKeyTypes)

stackexchange: ssh keeps skipping my pubkey and asking for a password

The new openssh version (7.0+) deprecated DSA keys and is not using DSA keys by default (not on server or client). The keys are not preferred to be used anymore, so if you can, I would recommend to use RSA keys where possible.

If you really need to use DSA keys, you need to explicitly allow them in your client config using

PubkeyAcceptedKeyTypes +ssh-dss

Should be enough to put that line in ~/.ssh/config, as the verbose message is trying to tell you.

perezdecastro.org: Locked out of SSH? Renew all the keys!

Looking at OpenSSH 7.0 release notes, there is the culpript:

  • Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at http://www.openssh.com/legacy.html

So it turns out that support for ssh-dss keys like the one I was trying to use is still available, but disabled by default.

Wrapping Up

大势所趋,换key啦~~

新问题 agent refused operation

命苦的娃总会碰到各种挫折!!

为了换key我也是拼了,Gnome 环境下执行了 ssh-add -D 然后就被恶狠 狠的一句话挡在了门外

[fktpp@fedora workspace]$ git clone git@github.com:fktpp/fktpp.github.io.git
正克隆到 'fktpp.github.io'...
sign_and_send_pubkey: signing failed: agent refused operation
sign_and_send_pubkey: signing failed: agent refused operation
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Google 说 (keyword: sign_and_send_pubkey: signing failed: agent refused operation)

我看出Google说的都不靠谱!!

重启 Gnome by logout and login 试试… 不灵

Google 继续说 (keyword)

Chris Jean: Ubuntu ssh fix fo agent admitted fail to sign using the key

After some digging, I found out that issues with the gnome-keyring were at fault. gnome-keyring doesn’t always handle specific formats of SSH keys correctly. Unfortunately, gnome-keyring was trying to handle all SSH key usage, preventing the keys from working.

Wrapping Up

为了给私钥加个comments我听从 ssh-keygen 的建议使用了 -o 参数

Linux 用户是需要多么顽qiang的生命力啊

标签:

评论

发表评论

此博客中的热门博文

Eglot and before/after-save-hook and use-package

In Emacs, when you try to automate some actions during every save action, you will surely get to the before-save-hook and the after-save-hook. Simply adding something like gofmt-before-save to before-save-hook will save you tons of time to do the go-fmt. And then, I meet eglot, and gopls will also save me tons of time doing googling and api documentation navigation. But eglot-ensure is not very friendly to the good old ways of how after-save-hooks were designed to work. It makes the before/after-save-hook a buffer local variable and it does not inherit the variable's global value. So, to make before/after-save-hook work again, experts start to adding hooks to major mode specific hooks like this: emacs.md - Go (opensource.google) """ ;; Optional: install eglot-format-buffer as a save hook. ;; The depth of -10 places this before eglot's willSave notification, ;; so that that notification reports the actual contents that will be saved. (defu...
发表评论
阅读全文

XEmacs 21.5 beta 35 "kohlrabi" has been released.

If you are an old XEmacs user, you may feel happy to see this from https://www.xemacs.org/.    After ten years, XEmacs released a new version 21.5. So there's still many people cares about XEmacs. The XEmacs' source repo have been moved from altassian Bitbucket to https://heptapod.net/. As Bitbucket have been dropped Mercurial support many years ago.
发表评论
阅读全文