PuTTY 致命錯誤:無法就主機金鑰演算法達成一致

tag-icon tag-icon linux putty
PuTTY 致命錯誤:無法就主機金鑰演算法達成一致

我正在嘗試使用 PuTTY 連接到新系統,並看到以下內容:

致命錯誤:無法就主機金鑰演算法達成協議(可用:rsa-sha2-512、rsa-sha2-256、ecdsa-sha2-nistp256)

膩子致命錯誤

檢查伺服器上可用的演算法:

acoder@client ~ $ nmap --script ssh2-enum-algos -sV -p 22 server.name.here

Starting Nmap 7.01 ( https://nmap.org ) at 2021-04-16 10:33 EDT
Nmap scan report for server.name.here (1.1.1.1)
Host is up (0.018s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.0 (protocol 2.0)
| ssh2-enum-algos: 
|   kex_algorithms: (7)
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group14-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|   server_host_key_algorithms: (3)
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|   encryption_algorithms: (6)
|       [email protected]
|       aes256-ctr
|       aes256-cbc
|       [email protected]
|       aes128-ctr
|       aes128-cbc
|   mac_algorithms: (6)
|       [email protected]
|       [email protected]
|       [email protected]
|       hmac-sha2-256
|       hmac-sha1
|       hmac-sha2-512
|   compression_algorithms: (2)
|       none
|_      [email protected]

以下是我的客戶端電腦上可用的內容:

公鑰接受的密鑰類型

acoder@client ~ $ ssh -Q key
ssh-ed25519
[email protected]
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

密碼

acoder@client ~ $ ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
[email protected]
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]
[email protected]
[email protected]

MAC

acoder@client ~ $ ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
hmac-ripemd160
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

Kex演算法

acoder@client ~ $ ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
[email protected]

我在這裡忽略了什麼?

答案1

您忽略了 PuTTY 和 ssh (OpenSSH) 是兩個完全獨立的程式。他們不共享任何代碼;他們不使用任何常見的加密庫。這些ssh -Q清單不會告訴您有關 PuTTY 可以支持的內容的任何資訊。

我認為問題是你的 PuTTY 版本太舊了。在伺服器提供的簽章方法中,ECDSA簽章(ecdsa-sha2-nistp256)至少需要PuTTY版本0.68,而 RSA-SHA2 方法 ( rsa-sha2-*) 僅在下一個 PuTTY 版本 (0.75) 中可用。

原因是 OpenSSH 伺服器ssh-rsa最近停用了對舊的基於 SHA1 的簽章演算法的支援(它們仍然使用相同的 RSA 金鑰,但只能透過基於 SHA2 的簽章),而對 DSA 金鑰的支援幾年前已被刪除。

相關內容