 - lay)
背景
在Raspberry Pi 上通过 git clone ssh://xxx@<host_name>:29418/<REPOSITORY_NAME.git> 克隆 Gerrit 仓库时失败,报错 Permission denied (publickey);
但使用 git@ 格式(如 git clone git@<host_name>:<REPOSITORY_NAME.git>)可成功克隆。
另一台机器使用相同的 ssh:// 格式却能正常连接。
排查步骤
- 验证 URL 格式
确认 ssh:// 格式的用户名(layton.ren)、端口(29418)、仓库路径正确,与 git@ 格式一致。
- 测试 SSH 连接
通过 ssh -p 29418 xxx@<host_name> -v 查看调试日志,发现关键错误:send_pubkey_test: no mutual signature algorithm(客户端与服务器无共同支持的签名算法)。
pi@raspberrypi:~ $ ssh -p 29418 xxx@<host_name> -v
OpenSSH_9.2p1 Debian-2+deb12u5, OpenSSL 3.0.17 1 Jul 2025
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to <host_name> [<host_name>] port 29418.
debug1: Connection established.
debug1: identity file /home/pi/.ssh/id_rsa type 0
debug1: identity file /home/pi/.ssh/id_rsa-cert type -1
debug1: identity file /home/pi/.ssh/id_ecdsa type -1
debug1: identity file /home/pi/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/pi/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/pi/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/pi/.ssh/id_ed25519 type -1
debug1: identity file /home/pi/.ssh/id_ed25519-cert type -1
debug1: identity file /home/pi/.ssh/id_ed25519_sk type -1
debug1: identity file /home/pi/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/pi/.ssh/id_xmss type -1
debug1: identity file /home/pi/.ssh/id_xmss-cert type -1
debug1: identity file /home/pi/.ssh/id_dsa type -1
debug1: identity file /home/pi/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u5
debug1: Remote protocol version 2.0, remote software version GerritCodeReview_3.2.2 (APACHE-SSHD-2.4.0)
debug1: compat_banner: no match: GerritCodeReview_3.2.2 (APACHE-SSHD-2.4.0)
debug1: Authenticating to <host_name>:29418 as 'xxx'
debug1: load_hostkeys: fopen /home/pi/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:wLrwyxq0wXunwomNExZCRLqJHt7HMCjIQKawgMTQUU0
debug1: load_hostkeys: fopen /home/pi/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[<host_name>]:29418' is known and matches the ED25519 host key.
debug1: Found key in /home/pi/.ssh/known_hosts:1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/pi/.ssh/id_rsa RSA SHA256:p5FNVbVuIBEww6El0FBZXhSuJe4ku2oRqR1Wgl1duMg
debug1: Will attempt key: /home/pi/.ssh/id_ecdsa
debug1: Will attempt key: /home/pi/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/pi/.ssh/id_ed25519
debug1: Will attempt key: /home/pi/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/pi/.ssh/id_xmss
debug1: Will attempt key: /home/pi/.ssh/id_dsa
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/pi/.ssh/id_rsa RSA SHA256:p5FNVbVuIBEww6El0FBZXhSuJe4ku2oRqR1Wgl1duMg
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /home/pi/.ssh/id_ecdsa
debug1: Trying private key: /home/pi/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/pi/.ssh/id_ed25519
debug1: Trying private key: /home/pi/.ssh/id_ed25519_sk
debug1: Trying private key: /home/pi/.ssh/id_xmss
debug1: Trying private key: /home/pi/.ssh/id_dsa
debug1: No more authentication methods to try.
xxx@<host_name>: Permission denied (publickey).
pi@raspberrypi:~ $- 对比成功机器的日志
另一台机器(OpenSSH_7.6p1)使用 RSA 密钥时,服务器接受 ssh-rsa 算法(Server accepts key: pkalg ssh-rsa),而 Raspberry Pi 的新版 OpenSSH 默认禁用了 ssh-rsa,导致不兼容。
思路验证
验证强制使用 rsa 算法,测试 SSH 连接
ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa -p 29418 xxx@<host_name>
如果可以连接,则证明,新版 OpenSSH 默认禁用了 ssh-rsa,导致不兼容。
解决办法
- 方法一: 生成并使用其他密钥算法
例如,debug log中所提示的ecdsa、ecdsa_sk、ed25519、ed25519_sk、xmss。以ed25519为例
- 生成 ED25519 密钥:
ssh-keygen -t ed25519 -C "your_email@example.com"
- 将公钥(~/.ssh/id_ed25519.pub)添加到 Gerrit 账户的 SSH Public Keys 配置中。
- 重新克隆仓库。
- 方法二:配置新版 OpenSSH 兼容 RSA 算法
若需保留 RSA 密钥,可在 ~/.ssh/config 中将配置 host 强制启用 ssh-rsa 算法:
Host <host_name>Port 29418PubkeyAcceptedAlgorithms +ssh-rsaHostKeyAlgorithms +ssh-rsa
或者可配置所有 host 均强制启用 ssh-rsa 算法:
Host *Port 29418PubkeyAcceptedAlgorithms +ssh-rsaHostKeyAlgorithms +ssh-rsa