Translated message

A translation of this page exists in English.

连接不支持 'server-sig-algs" 扩展的 SSH 服务器和客户端会失败

Solution In Progress - Updated -

Issue

  • Red Hat Enterprise Linux 9 客户端无法连接到不支持 server-sig-algs 扩展或 ECDSA 主机密钥的 SSH 服务器 (a, b)
  • 不支持 server-sig-algs 扩展的旧 SSH 客户端无法使用 RSA 身份验证密钥连接到 Red Hat Enterprise Linux 9 服务器(c、d)

a)Red Hat Enterprise Linux 9 客户端连接到只支持 SHA1 的 ssh-rsa 签名算法、且只提供 RSA hostkey 的旧的服务器:

Raw
$ ssh user@example.com
The authenticity of host 'example.com (1.2.3.4)' can't be established.
RSA key fingerprint is SHA256:ycznxddL1KwSN1Wbih1 UDfPntj5pM1a/kpPKLGgPzEI.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'example.com' (RSA) to the list of known hosts.
ssh_dispatch_run_fatal: Connection to 5.6.7.8 port 22: error in libcrypto

b)Red Hat Enterprise Linux 9 客户端连接到只支持 ssh-rsa 签名算法,但提供不同的 hostkeys 的旧的服务器。客户端尝试使用 RSA 密钥进行身份验证:

Raw
$ ssh -vvv user@example.com
[...]
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:+z5NN8Z6RfNykL5l6Ht2Cbjj16xGp76TjILrQ4Cftqk
debug1: send_pubkey_test: no mutual signature algorithm
[...]
debug1: No more authentication methods to try.
user@example.com: Permission denied (publickey).

c)Red Hat Enterprise Linux 9 服务器无法为与 使用 RSA 主机密钥进行验证的旧客户端(如 RHEL6)提供 SHA1 签名:

Raw
$ ssh -vvv example.com
[...]
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
[...]
debug2: kex_parse_kexinit: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
[...]
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
no hostkey alg

D)使用 RSA 身份验证密钥向 Red Hat Enterprise Linux 9 进行身份验证的旧客户端。

Raw
$ ssh -vvv example.com
[...]
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
[...]
debug2: kex_parse_kexinit: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
[...]
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
no hostkey alg

Environment

  • Red Hat Enterprise Linux

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content