stackoom
  简体   繁体   中英

Why can't I connect to github with my ssh key on yubikey

 原文  2022-11-27 07:25:15       github/ ssh/ git-bash/ yubico/ yubikey

Question

I have an SSH key generated on my desktop as well as one generated on my yubikey. Both are ED25519 keys, with the one on the yubikey being an ED25519-sk for the security key. When I run "ssh -t git@github.com" to attempt to connect to github to test the ssh key with the desktop key it works just fine and connects successfully. However when I load in the SK from the yubikey and attempt to connect I get permission denied. I have properly added both keys to my github account as well as to the ssh-agent. I've run out of ideas of what could be wrong??

Here are my debug logs:

$ ssh -tv git@github.com
OpenSSH_9.0p1, OpenSSL 1.1.1q  5 Jul 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to github.com [140.82.113.3] port 22.
debug1: Connection established.
debug1: identity file /c/Users/USER/.ssh/id_rsa type -1
debug1: identity file /c/Users/USER/.ssh/id_rsa-cert type -1
debug1: identity file /c/Users/USER/.ssh/id_ecdsa type -1
debug1: identity file /c/Users/USER/.ssh/id_ecdsa-cert type -1
debug1: identity file /c/Users/USER/.ssh/id_ecdsa_sk type -1
debug1: identity file /c/Users/USER/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /c/Users/USER/.ssh/id_ed25519 type -1
debug1: identity file /c/Users/USER/.ssh/id_ed25519-cert type -1
debug1: identity file /c/Users/USER/.ssh/id_ed25519_sk type -1
debug1: identity file /c/Users/USER/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /c/Users/USER/.ssh/id_xmss type -1
debug1: identity file /c/Users/USER/.ssh/id_xmss-cert type -1
debug1: identity file /c/Users/USER/.ssh/id_dsa type -1
debug1: identity file /c/Users/USER/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version babeld-adca5b9e
debug1: compat_banner: no match: babeld-adca5b9e
debug1: Authenticating to github.com:22 as 'git'
debug1: load_hostkeys: fopen /c/Users/USER/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU
debug1: load_hostkeys: fopen /c/Users/USER/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'github.com' is known and matches the ED25519 host key.
debug1: Found key in /c/Users/USER/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key:  ED25519-SK ********************************** authenticator agent
debug1: Will attempt key: /c/Users/USER/.ssh/id_rsa
debug1: Will attempt key: /c/Users/USER/.ssh/id_ecdsa
debug1: Will attempt key: /c/Users/USER/.ssh/id_ecdsa_sk
debug1: Will attempt key: /c/Users/USER/.ssh/id_ed25519
debug1: Will attempt key: /c/Users/USER/.ssh/id_ed25519_sk
debug1: Will attempt key: /c/Users/USER/.ssh/id_xmss
debug1: Will attempt key: /c/Users/USER/.ssh/id_dsa
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key:  ED25519-SK ********************************** authenticator agent
debug1: Server accepts key:  ED25519-SK ********************************** authenticator agent
sign_and_send_pubkey: signing failed for ED25519-SK "" from agent: agent refused operation
debug1: Trying private key: /c/Users/USER/.ssh/id_rsa
debug1: Trying private key: /c/Users/USER/.ssh/id_ecdsa
debug1: Trying private key: /c/Users/USER/.ssh/id_ecdsa_sk
debug1: Trying private key: /c/Users/USER/.ssh/id_ed25519
debug1: Trying private key: /c/Users/USER/.ssh/id_ed25519_sk
debug1: Trying private key: /c/Users/USER/.ssh/id_xmss
debug1: Trying private key: /c/Users/USER/.ssh/id_dsa
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

1 answers

solution1
 1  2022-11-27 19:52:04

" ssh -t git@github.com " to attempt to connect to github to test the ssh key with the desktop key it works just fine and connects successfully.

From your log, the test is not successful, since you should see a Welcome message:

Hi USERNAME! 
You've successfully authenticated, but GitHub does not provide shell access.

Double-check " Security keys are now supported for SSH Git operations ", and if your security key supports FIDO2 resident keys, consider using a resident key .

For your test to use your ED25519-sk, try and force it with:

ssh -i ~/.ssh/id_ecdsa_sk git@github.com

Note that you might need Git for Windows 2.39-rc1 , which states:

It is now possible to generate and use SSH keys protected by security keys (AKA FIDO devices) via Windows Hello, eg via ssh-keygen.exe -t ecdsa-sk .

(Just in case "libfido2 upgraded to v0.12.0" could bring any benefit to your current command)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Connect Yubikey key to GitHub Can't connect to github via ssh; Permission denied (public key) Why doesn't my SSH key work for connecting to github? How can I view my public and private SSH key in Github? Why can't I use one ssh key on more than one github repo? How can I review my SSH key for github? "Authenticity of host can't be established" message pops up when I try to connect an SSH key to github.com can't connect to github via ssh Can't send SSH key to Github with cURL How can I use my github profile SSH key to modify all my repos?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM