用SSH密钥配置一个新的数字海洋液滴。当我运行ssh-copy-id时,这是我得到的:

ssh-copy-id user@012.345.67.89
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
sign_and_send_pubkey: signing failed: agent refused operation
user@012.345.67.89's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'user@012.345.67.89'"
and check to make sure that only the key(s) you wanted were added.

然而,当我尝试ssh时,会发生这种情况:

ssh user@012.345.67.89
sign_and_send_pubkey: signing failed: agent refused operation
user@012.345.67.89's password: 

输入密码后,我可以正常登录,但这当然违背了创建SSH密钥的初衷。我决定看看ssh-agent服务器端,下面是我得到的:

user@012.345.67.89:~# eval `ssh-agent -s`
Agent pid 5715
user@012.345.67.89:~# ssh-add -l
The agent has no identities.

用户/。Ssh /authorized_keys也包含Ssh -rsa密钥条目,但是find name "keynamehere"没有返回任何内容。


当前回答

我需要分享,因为我花了太多时间寻找解决方案

这就是解决方案:https://unix.stackexchange.com/a/351742/215375

我正在使用这个命令:

ssh-keygen -o -t rsa -b 4096 -C "email@example.com"

Gnome-keyring不支持生成的密钥。

删除-o参数解决了这个问题。

其他回答

只是为了把另一个原因扔进擂台……

我的env被配置为使用金雅拓卡…但是我的~/中有一个名为id_rsa_gemalto_old(.pub)的旧对。Ssh /——名字中有gemalto——足以让git获取导致sign_and_send_pubkey: signing failed: agent refused操作。

(Ubuntu 18.04.6)

In my case the problem was that GNOME keyring was holding an invalid passphrase for the ssh key to be used. After spending indecent amount of time troubleshooting this issue I ran seahorse and found the entry to hold empty string. I can only guess that it was caused by mistyping the passphrase at first use some time earlier, and then probably cancelling the requester or so in order to fall back to command line. Updating the entry with correct passphrase immediately solved the problem. Deleting that entry (from "login" keyring) and reentering passphrase at that first prompt (and checking the appropriate checkbox) solves this too. Now agent gets the correct passphrase from the unlocked at login keyring named "login" and neither asks for passphrase nor "refuses operation" anymore. Of course YMMV.

当使用gpg-agent作为我的ssh-agent并使用gpg子密钥作为我的ssh密钥https://wiki.archlinux.org/index.php/GnuPG#gpg-agent时,我出现了错误。

我怀疑这个问题是由我在摇摆配置中使用的sleep+lock命令导致的gpg的无效pin输入tty引起的

bindsym $mod+Shift+l exec "sh -c 'gpg-connect-agent reloadagent /bye>/dev/null;systemctl暂停;swaylock’”

或者只是睡眠/暂停

重置引脚输入tty以解决问题

全球连线代理updatestarptty /dev/null

和修复我的摇摆睡眠+锁定命令:

bindsym $mod+Shift+l exec "sh -c 'gpg-connect-agent reloadagent /bye>/dev/null;systemctl暂停;swaylock;Gpg-connect-agent updatestartuptty /bye > /dev/null'"

根据Github安全博客,SHA-1的RSA密钥不再被接受。

使用以下命令创建新的带有ECDSAencryption的SSH密钥,并将其添加到Github。

ssh-keygen -t ecdsa -b 521 -C "your_email@example.com"

原始答案和细节可以在这里找到

另一个原因是OpenSSH v9.0新默认的NTRU primes + x25519密钥交换,结合gpg-agent(至少在v2.2.32)。

为了解决问题,禁用新的密钥交换算法(因此它的安全效益),如下:

ssh -o 'KexAlgorithm -sntrup761x25519-sha512@openssh.com' [...]

(SSH配置也一样)

参见https://unix.stackexchange.com/questions/701131/use-ntrux25519-key-exchange-with-gpg-agent