用SSH密钥配置一个新的数字海洋液滴。当我运行ssh-copy-id时,这是我得到的:

ssh-copy-id user@012.345.67.89
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
sign_and_send_pubkey: signing failed: agent refused operation
user@012.345.67.89's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'user@012.345.67.89'"
and check to make sure that only the key(s) you wanted were added.

然而,当我尝试ssh时,会发生这种情况:

ssh user@012.345.67.89
sign_and_send_pubkey: signing failed: agent refused operation
user@012.345.67.89's password: 

输入密码后,我可以正常登录,但这当然违背了创建SSH密钥的初衷。我决定看看ssh-agent服务器端,下面是我得到的:

user@012.345.67.89:~# eval `ssh-agent -s`
Agent pid 5715
user@012.345.67.89:~# ssh-add -l
The agent has no identities.

用户/。Ssh /authorized_keys也包含Ssh -rsa密钥条目,但是find name "keynamehere"没有返回任何内容。


当前回答

导致SSH错误的原因有很多:

Sign_and_send_pubkey:签名失败:代理拒绝操作

其中一些问题可能与其他答案所强调的问题有关(请参阅此线程的答案),其中一些问题可能被隐藏,因此需要更仔细的调查。

在我的情况下,我得到了以下错误消息:

Sign_and_send_pubkey:签名失败:代理拒绝操作 user@website.domain.com:权限被拒绝(publickey, gsapi -keyex, gsapi -with-mic)

找到真正问题的唯一方法是调用-v verbose选项,这将导致打印大量调试信息:

debug1: Connecting to website.domain.com [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa.website.domain.com type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa.website.domain.com-cert type -1

请注意,key_load_public: No such file或directory指的是下一行,而不是上一行。

因此,SSH真正说的是,它无法找到名为id_rsa.website.domain.com-cert的公钥文件,这似乎是我的情况下的问题,因为我的公钥文件不包含-cert后缀。

长话短说:在我的案例中,修复只是确保公钥文件按预期命名。如果不调试连接,我绝不会怀疑这一点。

底线是使用SSH VERBOSE模式(-v选项)来找出哪里出了问题,可能有各种原因,在这个/另一个线程上找不到任何原因。

其他回答

我需要分享,因为我花了太多时间寻找解决方案

这就是解决方案:https://unix.stackexchange.com/a/351742/215375

我正在使用这个命令:

ssh-keygen -o -t rsa -b 4096 -C "email@example.com"

Gnome-keyring不支持生成的密钥。

删除-o参数解决了这个问题。

在客户端机器上运行SSH -add,将SSH密钥添加到代理。

使用ssh-add -l(同样在客户端上)确认确实添加了它。

In my case the problem was that GNOME keyring was holding an invalid passphrase for the ssh key to be used. After spending indecent amount of time troubleshooting this issue I ran seahorse and found the entry to hold empty string. I can only guess that it was caused by mistyping the passphrase at first use some time earlier, and then probably cancelling the requester or so in order to fall back to command line. Updating the entry with correct passphrase immediately solved the problem. Deleting that entry (from "login" keyring) and reentering passphrase at that first prompt (and checking the appropriate checkbox) solves this too. Now agent gets the correct passphrase from the unlocked at login keyring named "login" and neither asks for passphrase nor "refuses operation" anymore. Of course YMMV.

这应该是一个超级用户的问题。

对的,我在MacOSX SourceTree中有完全相同的错误,然而,在iTerm2终端中,事情工作得很好。

然而,问题似乎是我有两个ssh代理运行;(

第一个是/usr/bin/ssh-agent(也就是MacOSX的),然后是HomeBrew安装的/usr/local/bin/ssh-agent。

从SourceTree启动一个终端,允许我看到SSH_AUTH_SOCK的差异,使用lsof我找到了两个不同的ssh-代理,然后我能够将密钥(使用ssh-add)加载到系统的默认ssh-代理(即。/usr/bin/ssh-agent), SourceTree恢复正常。

另一个原因是OpenSSH v9.0新默认的NTRU primes + x25519密钥交换,结合gpg-agent(至少在v2.2.32)。

为了解决问题,禁用新的密钥交换算法(因此它的安全效益),如下:

ssh -o 'KexAlgorithm -sntrup761x25519-sha512@openssh.com' [...]

(SSH配置也一样)

参见https://unix.stackexchange.com/questions/701131/use-ntrux25519-key-exchange-with-gpg-agent