来自 gitlab-ci docker 的 SSH 在“SSH2_MSG_KEX_ECDH_REPLY”上失败

我正在尝试从 GitLab CI 中运行的 Docker 部署容器通过 SSH 连接到远程网络服务器。我第一次尝试时确实成功连接了一次。现在它不断失败：调试输出的最后两行（完整输出如下）是：

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by ********** port 22

部署任务首先从 GitLab CI“秘密变量”复制 SSH 私钥（公钥当然位于~/.ssh/authorized_keys在遥控器上）。完整的部署任务定义在gitlab-ci.yml as:

.deploy: &import_deploy
    stage: deploy
    image: **********
    tags: [ek-docker]
    before_script:
        # install openssh & rsync
        - apk update && apk --no-cache add rsync openssh
        # copy private key from GitLab secret variable to container
        - mkdir -p ~/.ssh
        - chmod 700 ~/.ssh
        - eval $(ssh-agent -s)
        - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
        - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
    script:
        - ssh -vvv **********@********** 'bash -s' < ./conf/$MY_ENV_NAME/start.sh

    deploy staging:
    <<: *import_deploy
    variables:
        MY_ENV_NAME: "staging"
    only:
        - staging
    environment:
        name: staging

从 SSH 记录的输出是：

OpenSSH_7.7p1, LibreSSL 2.7.4
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname ********** is address
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to ********** [**********] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.6
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.6 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to **********:22 as '**********'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected] /cdn-cgi/l/email-protection,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected] /cdn-cgi/l/email-protection,aes128-ctr,aes192-ctr,aes256-ctr,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection
debug2: ciphers stoc: [email protected] /cdn-cgi/l/email-protection,aes128-ctr,aes192-ctr,aes256-ctr,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection
debug2: MACs ctos: [email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected] /cdn-cgi/l/email-protection,zlib
debug2: compression stoc: none,[email protected] /cdn-cgi/l/email-protection,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: [email protected] /cdn-cgi/l/email-protection,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected] /cdn-cgi/l/email-protection,aes128-ctr,aes192-ctr,aes256-ctr,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection
debug2: ciphers stoc: chacha20-poly13[email protected] /cdn-cgi/l/email-protection,aes128-ctr,aes192-ctr,aes256-ctr,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection
debug2: MACs ctos: [email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,[email protected] /cdn-cgi/l/email-protection,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected] /cdn-cgi/l/email-protection
debug2: compression stoc: none,[email protected] /cdn-cgi/l/email-protection
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: [email protected] /cdn-cgi/l/email-protection
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] /cdn-cgi/l/email-protection MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly13[email protected] /cdn-cgi/l/email-protection MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by ********** port 22
ERROR: Job failed: exit code 1

I am way超出了我的深度，谷歌搜索提出了两个可能的原因。第一个是基于网络的东西，改变... MTU？作为潜在的修复。这听起来很可怕，所以我专注于第二个，即密钥交换算法的不匹配。这似乎是有道理的：两者之间似乎没有共同的价值观《KEX算法》 and “主机密钥算法”在上面的输出中。当它第一次连接时，输出是

“警告：将‘*********’ (ECDSA) 永久添加到已知列表中 主人”。

我尝试通过指定算法ssh -o KexAlgorithms=ecdh-sha2-nistp521（以及其他一些看起来可能的候选者）但这只是引发了一个错误，即该算法不受支持。

现在很清楚，我不知道我在做什么。任何人都可以从上面的 SSH 输出中提出问题的原因是什么？

我遇到了同样的问题，我已将此选项添加到 ssh 然后问题解决了：

ssh -o KexAlgorithms=ecdh-sha2-nistp521 192.168.1.100