git ssh 已配置公钥，但仍然无法连接成功 - lay

背景

在Raspberry Pi 上通过 git clone ssh://xxx@<host_name>:29418/<REPOSITORY_NAME.git> 克隆 Gerrit 仓库时失败，报错 Permission denied (publickey)；

但使用 git@ 格式（如 git clone git@<host_name>:<REPOSITORY_NAME.git>）可成功克隆。

另一台机器使用相同的 ssh:// 格式却能正常连接。

排查步骤

• 验证 URL 格式

确认 ssh:// 格式的用户名（layton.ren）、端口（29418）、仓库路径正确，与 git@ 格式一致。

• 测试 SSH 连接

通过 ssh -p 29418 xxx@<host_name> -v 查看调试日志，发现关键错误：send_pubkey_test: no mutual signature algorithm（客户端与服务器无共同支持的签名算法）。

pi@raspberrypi:~ $ ssh -p 29418 xxx@<host_name> -v
OpenSSH_9.2p1 Debian-2+deb12u5, OpenSSL 3.0.17 1 Jul 2025
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to <host_name> [<host_name>] port 29418.
debug1: Connection established.
debug1: identity file /home/pi/.ssh/id_rsa type 0
debug1: identity file /home/pi/.ssh/id_rsa-cert type -1
debug1: identity file /home/pi/.ssh/id_ecdsa type -1
debug1: identity file /home/pi/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/pi/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/pi/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/pi/.ssh/id_ed25519 type -1
debug1: identity file /home/pi/.ssh/id_ed25519-cert type -1
debug1: identity file /home/pi/.ssh/id_ed25519_sk type -1
debug1: identity file /home/pi/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/pi/.ssh/id_xmss type -1
debug1: identity file /home/pi/.ssh/id_xmss-cert type -1
debug1: identity file /home/pi/.ssh/id_dsa type -1
debug1: identity file /home/pi/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u5
debug1: Remote protocol version 2.0, remote software version GerritCodeReview_3.2.2 (APACHE-SSHD-2.4.0)
debug1: compat_banner: no match: GerritCodeReview_3.2.2 (APACHE-SSHD-2.4.0)
debug1: Authenticating to <host_name>:29418 as 'xxx'
debug1: load_hostkeys: fopen /home/pi/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:wLrwyxq0wXunwomNExZCRLqJHt7HMCjIQKawgMTQUU0
debug1: load_hostkeys: fopen /home/pi/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[<host_name>]:29418' is known and matches the ED25519 host key.
debug1: Found key in /home/pi/.ssh/known_hosts:1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/pi/.ssh/id_rsa RSA SHA256:p5FNVbVuIBEww6El0FBZXhSuJe4ku2oRqR1Wgl1duMg
debug1: Will attempt key: /home/pi/.ssh/id_ecdsa
debug1: Will attempt key: /home/pi/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/pi/.ssh/id_ed25519
debug1: Will attempt key: /home/pi/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/pi/.ssh/id_xmss
debug1: Will attempt key: /home/pi/.ssh/id_dsa
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/pi/.ssh/id_rsa RSA SHA256:p5FNVbVuIBEww6El0FBZXhSuJe4ku2oRqR1Wgl1duMg
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: /home/pi/.ssh/id_ecdsa
debug1: Trying private key: /home/pi/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/pi/.ssh/id_ed25519
debug1: Trying private key: /home/pi/.ssh/id_ed25519_sk
debug1: Trying private key: /home/pi/.ssh/id_xmss
debug1: Trying private key: /home/pi/.ssh/id_dsa
debug1: No more authentication methods to try.
xxx@<host_name>: Permission denied (publickey).
pi@raspberrypi:~ $

• 对比成功机器的日志

另一台机器（OpenSSH_7.6p1）使用 RSA 密钥时，服务器接受 ssh-rsa 算法（Server accepts key: pkalg ssh-rsa），而 Raspberry Pi 的新版 OpenSSH 默认禁用了 ssh-rsa，导致不兼容。

解决办法

- 方法一: 生成并使用其他密钥算法

例如，debug log中所提示的ecdsa、ecdsa_sk、ed25519、ed25519_sk、xmss。以ed25519为例

• 生成 ED25519 密钥：

ssh-keygen -t ed25519 -C "your_email@example.com"

• 将公钥（~/.ssh/id_ed25519.pub）添加到 Gerrit 账户的 SSH Public Keys 配置中。
• 重新克隆仓库。

- 方法二：配置新版 OpenSSH 兼容 RSA 算法

若需保留 RSA 密钥，可在 ~/.ssh/config 中将配置 host 强制启用 ssh-rsa 算法：

Host <host_name>Port 29418PubkeyAcceptedAlgorithms +ssh-rsaHostKeyAlgorithms +ssh-rsa

或者可配置所有 host 均强制启用 ssh-rsa 算法：

Host *Port 29418PubkeyAcceptedAlgorithms +ssh-rsaHostKeyAlgorithms +ssh-rsa