no matching key exchange method found
在使用git clone克隆遠(yuǎn)程倉庫時泡嘴,有時候會遇到類似如下的報錯信息:
Unable to negotiate with 10.1.30.232 port 29418: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
fatal: Could not read from remote repository.
這是怎么回事呢?從字面上理解辑畦,git服務(wù)器端支持diffie-hellman-group1-sha1這種密鑰交換方法羞反,而git客戶端不支持布朦。
在頁面OpenSSH Legacy Options中有如下解釋:
If the client and server are unable to agree on a mutual set of parameters then the connection will fail. OpenSSH (7.0 and greater) will produce an error message like this:
Unable to negotiate with legacyhost: no matching key exchange method found.
Their offer: diffie-hellman-group1-sha1
In this case, the client and server were unable to agree on the key exchange algorithm. The server offered only a single method diffie-hellman-group1-sha1. OpenSSH supports this method, but does not enable it by default because is weak and within theoretical range of the so-called Logjam attack.
并且提供了解決辦法:
The best resolution for these failures is to upgrade the software at the other end. OpenSSH only disables algorithms that we actively recommend against using because they are known to be weak. In some cases, this might not be immediately possible so you may need to temporarily re-enable the weak algorithms to retain access.
For the case of the above error message, OpenSSH can be configured to enable the diffie-hellman-group1-sha1 key exchange algorithm (or any other that is disabled by default) using the KexAlgorithms option - either on the command-line:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost
or in the ~/.ssh/config file:
Host somehost.example.org
KexAlgorithms +diffie-hellman-group1-sha1
The '+' before the list instructs ssh to append the algorithm to the client's default set rather than replacing the default. By appending, you will automatically upgrade to the best supported algorithm when the server starts supporting it.