git pull时奇怪的需要密码

git pull的时候神奇的需要密码，可我明明是用秘钥验证的呀！又没有设置密码！在网上找呀找，发现下面的方法可以解决我的问题，这里备忘一下，来源：ssh-rsa验证失败"no mutual signature algorithm" - 知乎 (zhihu.com)

 

突然发现git无法正常使用了

git@gitee.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

定位ssh错误

❯ ssh -vT git@gitee.com
....
debug1: Offering public key: (none) RSA SHA256:...k agent
debug1: send_pubkey_test: no mutual signature algorithm
...

简单的说，就是openssh默认不再支持ssh-rsa算法啦，说是该算法存在安全隐患， 具体可以看看这个新闻：OpenSSH to deprecate SHA-1 logins due to security risk | ZDNet

当然我们可以重新启用ssh-rsa,但存在安全风险。

PubkeyAcceptedKeyTypes +ssh-rsa

更好的做法是使用Ed25519

ssh-keygen

ssh-keygen -t ed25519 -C "your_email@example.com"

GnuPG - ECC (Elliptic Curve Cryptography)

❯ gpg --expert --edit-key xxx
gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 11
Possible actions for a ECDSA/EdDSA key: Sign Authenticate
Current allowed actions: Sign

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s
Your selection? a
Your selection? q
Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 1
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
gpg> save

相关资料

• SSH-RSA key rejected with message "no mutual signature algorithm"
• Creating newer ECC keys for GnuPG

 

另外，当使用https（不是ssh形式）和git远端仓库交互的时候，每次都需要输入用户名和密码，这个是很麻烦的。在服务器端或者本地pc输入如下解决问题：

git config --global credential.helper store 

在第一次push或者pull的时候还是需要输入的，然后就会在本地生成一个文本存储相关信息。

然后你使用上述的命令配置好之后，再操作一次git pull，然后它会提示你输入账号密码，这一次之后就不需要再次输入密码了。