客户端
[root@VM_99_101_centos ~]# ssh -i "aws-v2ray.pem" ubuntu@ec2-18-136-213-37.ap-southeast-1.compute.amazonaws.com
Permission denied (publickey).
服务器端日志 /var/log/auth.log
May 15 09:29:59 ip-172-31-17-152 sshd[2468]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
May 15 09:29:59 ip-172-31-17-152 sshd[2468]: Connection closed by authenticating user ubuntu 118.89.182.50 port 34870 [preauth]
原因
There are several types of keys and signature algorithms in the SSH protocol. RSA keys, which have the key type ssh-rsa, can be used to sign with SHA-1 (in which case, the signature type is ssh-rsa), SHA-256 (which has signature type rsa-sha2-256), or SHA-512 (which has signature type rsa-sha2-512).
What you're seeing here is that you're connecting with an RSA key and using the ssh-rsa signature type with SHA-1. Unfortunately, SHA-1 is no longer secure, and the server is telling you that it won't accept that signature type. This is the right thing to do, because it avoids any security problems.
You can solve this in a couple different ways. First, you can simply upgrade PuTTY. The latest version supports the SHA-2 signature algorithms (SHA-256 and SHA-512), and so things should just work. You can also generate a different SSH key, say, an Ed25519 key, which is considered the most recommended option by Mozilla, GitHub, and other reputable parties. Note that PuTTY classes these as EdDSA keys, which is the more generic term; you want the 255 or 256 bit option.
You could also adjust PubkeyAcceptedKeyTypes in /etc/ssh/sshd_config on the server side to include ssh-rsa (you should also include all of the other options in ssh -Q sig as well if you do this). However, this means you're using insecure SHA-1 signatures and thus you probably want to choose one of the other options instead.
解决方案一
在服务器端,添加如下配置,然后重启 sshd service
# /etc/ssh/sshd_config
PubkeyAcceptedAlgorithms +ssh-rsa
# sudo systemctl restart sshd
网友评论