问题

登录家里路由器，突然提示Unable to negotiate with x.x.x.x port 22: no matching host key type found. Their offer: ssh-rsa

以为是路由器出什么问题了，连上家里vpn登录尝试也不行。

网上搜了下，发现原来是OpenSSH版本更新后导致的问题。

❯ ssh -V
OpenSSH_9.0p1, LibreSSL 3.3.6

已经不记得是什么时候执行了更新导致的了。

原因

根据 OpenSSH Release Notes

Future deprecation notice

It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K.

In the SSH protocol, the “ssh-rsa” signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future.

Note that the deactivation of “ssh-rsa” signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, “ssh-rsa” keys are capable of signing using “rsa-sha2-256” (RSA/SHA256), “rsa-sha2-512” (RSA/SHA512) and “ssh-rsa” (RSA/SHA1). Only the last of these is being turned off by default.

高版本的ssh客户端，默认禁用了ssh-rsa 算法，如果对方服务器只支持这一种算法的话就无法登录了。

PS：最近一直发现以前免密登录的服务器都要求输入密码了，明明密钥都在，都是这个原因导致的。

解决

登录的时候指定算法：

ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa  user@host

也可配置到~/.ssh/config中，省去每次都输入的麻烦

Host *
	User root
	HostKeyAlgorithms +ssh-rsa
	PubkeyAcceptedKeyTypes +ssh-rsa