macOS 升级到 10.12 后 ssh 私钥出问题了

公钥权限改成 500

dsa 还是 rsa 的？ sierra 好像去掉了前者的支持。

ssh -vvv 看详情。

我也是这样

@shimanooo 这个怎么看

@anguslg

test:~ test$ ssh -i /Users/test/key [email protected]
Enter passphrase for key '/Users/test/key':
Permission denied (publickey).
test:~ test$

依然如此。

打开公钥文件，看开头 ssh-dss 还是 ssh-rsa

@fx

@shimanooo
加密是：
RSA PRIVATE KEY
AES-128-CBC

还有 ssh -vvv 是啥？没这个参数，有 -V
ssh -V
OpenSSH_7.2p2, LibreSSL 2.4.1

先 ssh -v 看看是什么问题。

@loser
-v Verbose mode. Causes ssh to print debugging messages about its
progress. This is helpful in debugging connection, authentica-
tion, and configuration problems. Multiple -v options increase
the verbosity. The maximum is 3.

test:~ test$ ssh -i /Users/test/test -p 2222 -v [email protected]
OpenSSH_7.2p2, LibreSSL 2.4.1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Connecting to 10.0.0.1 [10.0.0.1] port 2222.
debug1: Connection established.
debug1: identity file /Users/test/test type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/test/test-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to 10.0.0.1:2222 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:bNuPwQRTJ6nM7QqHiU9DqrdaduA/MmgULzkjjW4UVeo
debug1: checking without port identifier
debug1: Host '10.0.0.1' is known and matches the RSA host key.
debug1: Found key in /Users/test/.ssh/known_hosts:47
debug1: found matching key w/out port
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/test/test
debug1: Server accepts key: pkalg ssh-rsa blen 279
Enter passphrase for key '/Users/test/test':
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

来了，各位大神

如果真是 sierra 的问题，明天去公司用 windows 电脑拿这个 key 试试，不然就真的哭死了，一对服务器都是这个 key

@loser 试试先把 test 这个 key 加入到 keychain 在使用。
ssh-add -K /Users/test/test
然后再用这个 private key 去 ssh

@noli 谢谢
按您提示我 ssh-add 时需要这个 key 的密码，试过所有都不对，郁闷；可能太久远忘记了，明天换个 windows 机器拿这个 key 试试。

再次感谢。🙏

我也出问题了，最后手动修改了 /etc/ssh/ssh_config 解决

顺便问问我如果要降级的话是不是把 ssh 文件夹拷贝出来，清盘降级后靠背回去就行呢？

看上去并不是这个 key 本身出问题，而是你原先保存在 keychain 中的这个 key 的 passphrase 无法获取了，提示你输入 passphrase 时你又不记得，往这个方向搜索一下答案

忘记 passphrase 没关系，你可以到 keychain.app 中手动查出来，至于为何 10.12 有这样的问题，搜索一下发现类似问题很多： https://www.google.com/search?newwindow=1&c2coff=1&biw=1600&bih=694&q=macos+sierra+keychain+key+passphrase&oq=macos+sierra+keychain+key+passphr&gs_l=serp.1.0.30i10k1.45129093.45162196.0.45167642.39.38.0.0.0.0.739.6703.2-7j3j3j3j1.17.0....0...1c.1j4.64.serp..23.10.3902.0..0j0i12k1j0i10k1j0i10i19k1.jtJ22lHafMA

"That ’ s expected. We re-aligned our behavior with the mainstream OpenSSH in this area.

You can fix this pretty easily by running ssh-add -A in your rc script if you want your keys to always be loaded."

Source: https://openradar.appspot.com/27348363

谢谢 @laoyur @shutongxinq
我换 windows 后 ok 了， NND 还好把私钥的密码想起来了，真的吓哭。

@BXIA 请教一下，修改哪些参数可以解决呢。

我的情况是
修改 /etc/ssh/ssh_config 和 /etc/ssh/sshd_config 的配置 ，支持 dss 格式的秘钥，
PubkeyAcceptedKeyTypes=+ssh-dss
ForwardAgent yes