Git permission denied (publickey) with newest git

Created key for authorization: ssh-keygen -C “your@email.com” -t dsa. Public key sent to git administrator. Setup passphrase caching by configuring ssh-agent for Windows. The process is described at http://help.github.com/ssh-key-passphrases/ Created .bash_profile. Now if I work in console with old git 1.9.5 (openSSH 6.6.1) it asks only once for passphrase and I can clone/pull/fetch/push, authentication is correct:

$ ssh -vT -p 52967 git@some-repo.com
OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014
debug1: Connecting to some-repo.com [XX.XX.XX.XX] port 52967.
debug1: Connection established.
debug1: identity file /c/Users/MyName/.ssh/id_rsa type -1
debug1: identity file /c/Users/MyName/.ssh/id_rsa-cert type -1
debug1: identity file /c/Users/MyName/.ssh/id_dsa type 2
debug1: identity file /c/Users/MyName/.ssh/id_dsa-cert type -1
debug1: identity file /c/Users/MyName/.ssh/id_ecdsa type -1
debug1: identity file /c/Users/MyName/.ssh/id_ecdsa-cert type -1
debug1: identity file /c/Users/MyName/.ssh/id_ed25519 type -1
debug1: identity file /c/Users/MyName/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debia
n-5ubuntu1.8
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.8 pat OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA aa:a3:0a:32:c2:88:75:a5:5a:c2:05:e6:4b:b1:a0:76
debug1: Host '[some-repo.com]:52967' is known and matches the RSA host
key.
debug1: Found key in /c/Users/MyName/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /c/Users/MyName/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 435
debug1: Authentication succeeded (publickey).
Authenticated to some-repo.com ([XX.XX.XX.XX]:52967).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
hello MyName, this is git@some-repo-svn running gitolite3 v3.2-10-g2741fad on gi
t 1.7.9.5

... Repo list here ...

debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3408, received 3792 bytes, in 1.6 seconds
Bytes per second: sent 2108.9, received 2346.5
debug1: Exit status 0

However if I use modern 2.7.1 Git (OpenSSH_7.1) I get error:

$ ssh -vT -p 52967 git@some-repo.com
OpenSSH_7.1p2, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /c/Users/MyName/.ssh/config
debug1: /c/Users/MyName/.ssh/config line 1: Applying options for some-repo.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to some-repo.com [XX.XX.XX.XX] port 52967.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/MyName/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/MyName/.ssh/id_rsa-cert type -1
debug1: identity file /c/Users/MyName/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/MyName/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/MyName/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/MyName/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/MyName/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/MyName/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.8
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.8 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to some-repo.com:52967 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-64@openssh.com none
debug1: kex: client->server aes128-ctr umac-64@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:Zw5XXi0GgafMm6AhcKnNw+GzqkotZwXZYPWrZogG9KQ
debug1: Host '[some-repo.com]:52967' is known and matches the RSA host key.
debug1: Found key in /c/Users/MyName/.ssh/known_hosts:1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Skipping ssh-dss key /c/Users/MyName/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes
debug1: Trying private key: /c/Users/MyName/.ssh/id_rsa
debug1: Trying private key: /c/Users/MyName/.ssh/id_ecdsa
debug1: Trying private key: /c/Users/MyName/.ssh/id_ed25519
debug1: Next authentication method: password
git@some-repo.com's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
git@some-repo.com's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
git@some-repo.com's password:
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
Permission denied (publickey,password).

ssh config contains lines:

Host some-repo.com
    KexAlgorithms +diffie-hellman-group1-sha1

However it does not help. Is the problem here server uses old Git (gitolite3 v3.2-10-g2741fad on git 1.7.9.5) / SSH(OpenSSH_5.9p1) and there is no reason to use latest Git on client?

回答1:

From https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html:

Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has been disabled by default at runtime due to their inherit weakness.
...
If you are stuck with DSA keys, you can re-enable support locally by updating your sshd_config and ~/.ssh/config files with lines like so:
PubkeyAcceptedKeyTypes=+ssh-dss
Be aware though that eventually OpenSSH will drop support for DSA keys entirely, so this is only a stop gap solution.

So the solution for now is to add PubkeyAcceptedKeyTypes=+ssh-dss to your ssh client config.

回答2:

(I already left a comment saying it's not the answer...but maybe it is)

The 2nd log says

debug1: Skipping ssh-dss key /c/Users/MyName/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes

So likely the new server has forbidden DSA keys (as it should, since they are too weak and obsolete). Use an RSA key instead. And here I have used 4096 bits... 2048 should probably be ok too, but is not very future proof in my opinion; see https://www.keylength.com/ to see what you think. The ssh server uses an efficient symmetric key for most of the work, so it isn't really a significant performance problem anyway... so don't worry about that. It pretty much just takes longer to generate, which is one time.

ssh-keygen -C “your@email.com” -t rsa -b 4096

Even if this server could be reconfigured, never use DSA keys... they are fixed length 1024 bits, which is weak by today's standards, obsolete for many years. 2048 bits is barely even enough these days (enough for now, but not future proof). See https://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys