[SSH] ssh 連線 sign_and_send_pubkey: no mutual signature supported
今天在更新 macOS 後,想要 ssh 到 ec2 server 時 (使用 -i 指定 identity_file)
指令: ssh -i "test.pem" ubuntu@ec2-xx-xx-xx-x.ap-northeast-1.compute.amazonaws.com
跳了要輸入密碼的提示
sign_and_send_pubkey: no mutual signature supported
ubuntu@ec2-xx-xx-xx-x.ap-northeast-1.compute.amazonaws.com's password:
使用 ssh -vvv 指令查看更詳細的 log
指令: ssh -vvv -i "test.pem" ubuntu@ec2-xx-xx-xx-x.ap-northeast-1.compute.amazonaws.com
log
...
debug1: Will attempt key: /Users/stan/.ssh/test.pem RSA SHA256:aaabbbcccxxxyyyzzz agent
debug1: Will attempt key: stan@MacBook-Pro.local RSA SHA256:111222333777888999/oMw agent
debug1: Will attempt key: test.pem explicit
debug2: pubkey_prepare: done
debug1: Offering public key: /Users/stan/.ssh/test.pem RSA SHA256:aaabbbcccxxxyyyzzz agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Offering public key: stan@MacBook-Pro.local RSA SHA256:111222333777888999/oMw agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: test.pem
debug3: sign_and_send_pubkey: using publickey with RSA SHA256aaabbbcccxxxyyyzzz:
sign_and_send_pubkey: no mutual signature supported
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
看起來是 signature 有問題
使用指令 ssh -V 確認 Client、Server 的 OpenSSH 版本
- AWS EC2 ssh version:
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.4, OpenSSL 1.0.1f 6 Jan 2014 - M1 Mac ssh version:
OpenSSH_9.7p1, LibreSSL 3.3.6
爬文找到了一個暫時的解法,在 ssh 時指定 ssh-rsa signature
- 如果是用 ssh 完整指令,可以加上這個 option
-o PubkeyAcceptedKeyTypes=ssh-rsa
指令: ssh -o PubkeyAcceptedKeyTypes=ssh-rsa -i "test.pem" ubuntu@ec2-xx-xx-xx-x.ap-northeast-1.compute.amazonaws.com
- 如果是用 ssh config,可以在 config 內加上
# vim ~/.ssh/config
Host *
PubkeyAcceptedKeyTypes=+ssh-rsa
這個問題的原因是 OpenSSH 更新後,因為安全性問題,將比較舊的 algorithm ssh-rsa 拿掉了 (可參考 release 8.7)
長期來說,如果要比較安全的使用 建議換成比較新的 algorithm,如 Ed25519
以 AWS EC2 來說,可以參考這篇教學
Ref: