Mac更新後，ssh 連線到 git 問題－Martin的世界

原本在工作上所使用的 git 系統，在週一上午上班，我要同步檔案時，被系統拒絕登入完全不能用，這可把我給搞矇了!

再詢問一下，公司同事每個人都可以正常在 git 系統上check檔案，就唯獨我被擋住，事出必有因，想想這幾天發生何事？

上週六在家裡，坐在客廳看電視時，Apple有提醒系統小改版，就順手把Mac的作業系統更新到 13.0.1，然後隔兩天週一上班就不能用Git，難道是這個原因。

Mac上我習慣用 Sourcetree 這個程式來處理 git，查看一下 Log 希望找出原因。

Sorcetree 出現的錯誤 Log

--
git -c color.branch=false -c color.diff=false -c color.status=false -c diff.mnemonicprefix=false -c core.quotepath=false -c credential.helper=sourcetree fetch origin
xxx@xxx.xxx.xxx.tw: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
xxx@xxx.xxx.xxx.tw: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Completed with errors, see above
---

看來就是一連上去就是被git server給拒絕，所以我懷疑是不是這次的作業系統更新，造成衝突這個問題。
因此直覺就是用 brew 把作業系統的SSH給更新到最新版本，並且請同事幫我確定 sevrer 上的 public key 是否跟我的 key有否出入，這一切檢查確定後，再試試會不會一樣錯誤。

更新SSH套件後，git server 依然還是拒絕連線，那麼就得來從底層來追蛛絲馬跡的線索，分析看看是在哪裡？

直接開啟 console ，開啟命令視窗，下達跟 git 的SSH連線，並trace 連線過程log ，如下..

------
OpenSSH_9.1p1, OpenSSL 1.1.1s 1 Nov 2022
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug1: Connecting to xxx.xxx.xxx.tw port 22.
debug1: Connection established.
debug1: identity file /Users/martin/.ssh/id_rsa type 0
debug1: identity file /Users/martin/.ssh/id_rsa-cert type -1
debug1: identity file /Users/martin/.ssh/id_ecdsa type -1
debug1: identity file /Users/martin/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/martin/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/martin/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/martin/.ssh/id_ed25519 type -1
debug1: identity file /Users/martin/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/martin/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/martin/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/martin/.ssh/id_xmss type -1
debug1: identity file /Users/martin/.ssh/id_xmss-cert type -1
debug1: identity file /Users/martin/.ssh/id_dsa type -1
debug1: identity file /Users/martin/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: compat_banner: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000002
debug1: Authenticating to xxx.xxx.xxx.tw:22 as 'git'
debug1: load_hostkeys: fopen /Users/martin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:34j5nihdsgj4u543h4n34j35ns88fc
debug1: load_hostkeys: fopen /Users/martin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'xxx.xxx.xxx.tw' is known and matches the ECDSA host key.
debug1: Found key in /Users/martin/.ssh/known_hosts:10
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /Users/martin/.ssh/id_rsa RSA SHA256:TGIh4h35knklsidf34UhiJHihy
debug1: Will attempt key: /Users/martin/.ssh/id_ecdsa
debug1: Will attempt key: /Users/martin/.ssh/id_ecdsa_sk
debug1: Will attempt key: /Users/martin/.ssh/id_ed25519
debug1: Will attempt key: /Users/martin/.ssh/id_ed25519_sk
debug1: Will attempt key: /Users/martin/.ssh/id_xmss
debug1: Will attempt key: /Users/martin/.ssh/id_dsa
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/martin/.ssh/id_rsa RSA SHA256:TGIh4h35knklsidf34UhiJHihy
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /Users/martin/.ssh/id_ecdsa
debug1: Trying private key: /Users/martin/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/martin/.ssh/id_ed25519
debug1: Trying private key: /Users/martin/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/martin/.ssh/id_xmss
debug1: Trying private key: /Users/martin/.ssh/id_dsa
debug1: No more authentication methods to try.
xxx@xxx.xxx.xxxx.tw: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
----

因為隱私與安全問題，log 裡我用 xxx.xxx.xxx 網址來代替，並且log裡的 key值也亂改過，避免有訊息洩漏。

從SSH的連線裡，client 與 server彼此的互動看的很清楚，確定是 Server 是因為Key的連線關係而拒絕。
這時就是開始大量找尋網路上可以解決的技術文章，看了不下數十篇以上，大多都是告訴你可以重新產生新key再來處理，但這不是我想要走的方式處理，因為這絕對不會是只有這個原因。

有些文章介紹的方式我也照方法去試過，但是無效，不是對症下藥的方法。

直到看到這篇報導，發現 opessh 團隊已經禁用ssh-rsa 的模式，而我們git sevrer 還是用rsa的key。
我還跟同事檢查了老半天 key 的正確性，該不會這次Mac OS更新就把這個模式給關了吧？

https://www.zdnet.com/article/openssh-to-deprecate-sha-1-logins-due-to-security-risk/

有了這個方向就好辦，因此就可以用設定方式來開啟RSA方法。

首先編輯 /etc/ssh/sshd_config 這個檔案，因為有權限問題，記得要sudo一下
在檔案裡加上這個設定 PubkeyAcceptedKeyTypes +ssh-rsa

然後再到你個人目錄下的 .ssh 資料夾找這個檔案，如果沒有就自己建一個 ~/.ssh/config
同樣在這個檔案裡，加上這個設定即可 PubkeyAcceptedKeyTypes +ssh-rsa

這個設定也就是讓 SSH 開啟這個它關掉的rsa key 的驗證，然後我們再來 ssh 連線一下 git server 再來追蹤一下 log 是否成功？

-----

OpenSSH_9.1p1, OpenSSL 1.1.1s 1 Nov 2022
debug1: Reading configuration data /Users/martin/.ssh/config
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug1: Connecting to xxx.xxx.xxx.tw port 22.
debug1: Connection established.
debug1: identity file /Users/martin/.ssh/id_rsa type 0
debug1: identity file /Users/martin/.ssh/id_rsa-cert type -1
debug1: identity file /Users/martin/.ssh/id_ecdsa type -1
debug1: identity file /Users/martin/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/martin/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/martin/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/martin/.ssh/id_ed25519 type -1
debug1: identity file /Users/martin/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/martin/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/martin/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/martin/.ssh/id_xmss type -1
debug1: identity file /Users/martin/.ssh/id_xmss-cert type -1
debug1: identity file /Users/martin/.ssh/id_dsa type -1
debug1: identity file /Users/martin/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: compat_banner: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000002
debug1: Authenticating to xxx.xxx.xxx.xxx.tw:22 as 'git'
debug1: load_hostkeys: fopen /Users/martin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:uhiuhUH&%JKjn23490u823HIUauhoiuhoiy
debug1: load_hostkeys: fopen /Users/martin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'xxx.xxx.xxx.tw' is known and matches the ECDSA host key.
debug1: Found key in /Users/martin/.ssh/known_hosts:10
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /Users/martin/.ssh/id_rsa RSA SHA256:TGIh4h35knklsidf34UhiJHihy
debug1: Will attempt key: /Users/martin/.ssh/id_ecdsa
debug1: Will attempt key: /Users/martin/.ssh/id_ecdsa_sk
debug1: Will attempt key: /Users/martin/.ssh/id_ed25519
debug1: Will attempt key: /Users/martin/.ssh/id_ed25519_sk
debug1: Will attempt key: /Users/martin/.ssh/id_xmss
debug1: Will attempt key: /Users/martin/.ssh/id_dsa
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/martin/.ssh/id_rsa RSA SHA256:TGIh4h35knklsidf34UhiJHihy
debug1: Server accepts key: /Users/martin/.ssh/id_rsa RSA SHA256:TGIh4h35knklsidf34UhiJHihy
Authenticated to xxx.xxx.xxx.tw using "publickey".
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
hello martin, this is xxx@xxx running gitolite3 v3.6.6-13-g8bde76d on git 1.8.3.1