search

holzschu / a-shell

A terminal for iOS, with multiple windows
BSD 3-Clause "New" or "Revised" License
2.72k stars 117 forks source link

Cloning a GitHub repo via SSH not possible when using RSA keys #696

Open Hullow opened 1 year ago

Hullow commented 1 year ago

Using ssh-keygen -t rsa-sha2-256, I was able to generate a key pair, which I checked was indeed SHA-2 after creation by running ssh-keygen -l -f.

Adding the public key to my Github account lets me SSH into GitHub using ssh -t git@github.com, however cloning a repo via SSH (git clone <SSH-URL> target-repository prompts an error message regarding the key type, and the repo isn’t cloned.

SSH authentication: Using private key: /var/mobile/Containers/Data/Application/<local-folder-number>/Documents/.ssh/id_rsa

ERROR 23: ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.

N.b.: git clone works using ed-25519, however.

Edit: I just noticed that this issue was mentioned in the guide, without a solution however. And in a previous issue. Sorry if this duplicates the issue but at least it’s a summary.

holzschu commented 1 year ago

Thanks for boosting this issue. I'll have a look, but I see that you have a workaround using ed-25519, so that might be the best way forward.

damiencourousse commented 1 year ago

I may have the same issue:

ssh works fine:

[Documents]$ ssh git@<server>
PTY allocation request failed on channel 0
hello <mobile>, this is git@<server> running gitolite3 3.6.12-1 (Debian) on git 2.39.2
 R W    testing
Connection to <server> closed.

But lg2 over SSH fails. 

[Documents]$ lg2 clone ssh://git@<server>/testing 
Cloning into ./testing
ERROR 23: failed to start SSH session: Unable to exchange encryption keys
Bad news:
 failed to start SSH session: Unable to exchange encryption keys

My first key was using RSA. I tried to setup a new key using ed-25519, but I get the same error.

I think that the issue appeared with the upgrade (of sshd?) on .
I am running openssh-server 1:9.2p1-2 on (Debian bookworm). It was upgraded recently from version 1:8.4p1-5+deb11u1 (Debian bullseye) where lg2 was pushing/pulling fine over ssh.

damiencourousse commented 1 year ago

In case it helps:

ssh log on , successful ssh connexion with an RSA-based ssh key (created in a-Shell: ssh-keygen -t rsa -b 2048).

2023-09-29T21:41:38.445775+00:00 <server> sshd[103038]: debug1: Forked child 103408.
2023-09-29T21:41:38.449401+00:00 <server> sshd[103408]: debug1: Set /proc/self/oom_score_adj to 0
2023-09-29T21:41:38.450610+00:00 <server> sshd[103408]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
2023-09-29T21:41:38.527502+00:00 <server> sshd[103408]: debug1: inetd sockets after dupping: 4, 4
2023-09-29T21:41:38.528034+00:00 <server> sshd[103408]: Connection from <IP> port 22521 on <IP> port 22 rdomain ""
2023-09-29T21:41:38.528657+00:00 <server> sshd[103408]: debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2
2023-09-29T21:41:38.529819+00:00 <server> sshd[103408]: debug1: Remote protocol version 2.0, remote software version OpenSSH_8.5
2023-09-29T21:41:38.530392+00:00 <server> sshd[103408]: debug1: compat_banner: match: OpenSSH_8.5 pat OpenSSH* compat 0x04000000
2023-09-29T21:41:38.535699+00:00 <server> sshd[103408]: debug1: permanently_set_uid: 107/65534 [preauth]
2023-09-29T21:41:38.536907+00:00 <server> sshd[103408]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256 [preauth]
2023-09-29T21:41:38.537685+00:00 <server> sshd[103408]: debug1: SSH2_MSG_KEXINIT sent [preauth]
2023-09-29T21:41:39.238253+00:00 <server> sshd[103408]: debug1: SSH2_MSG_KEXINIT received [preauth]
2023-09-29T21:41:39.239755+00:00 <server> sshd[103408]: debug1: kex: algorithm: curve25519-sha256@libssh.org [preauth]
2023-09-29T21:41:39.240757+00:00 <server> sshd[103408]: debug1: kex: host key algorithm: rsa-sha2-512 [preauth]        <=== ***** =====
2023-09-29T21:41:39.241405+00:00 <server> sshd[103408]: debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
2023-09-29T21:41:39.242319+00:00 <server> sshd[103408]: debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]

lg2 clone with the same key:

2023-09-29T21:42:00.160115+00:00 <server> sshd[103038]: debug1: Forked child 103427.
2023-09-29T21:42:00.165652+00:00 <server> sshd[103427]: debug1: Set /proc/self/oom_score_adj to 0
2023-09-29T21:42:00.166705+00:00 <server> sshd[103427]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
2023-09-29T21:42:00.241022+00:00 <server> sshd[103427]: debug1: inetd sockets after dupping: 4, 4
2023-09-29T21:42:00.241529+00:00 <server> sshd[103427]: Connection from <IP> port 22502 on <IP> port 22 rdomain ""
2023-09-29T21:42:00.242254+00:00 <server> sshd[103427]: debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2
2023-09-29T21:42:00.242814+00:00 <server> sshd[103427]: debug1: Remote protocol version 2.0, remote software version libssh2_1.9.0_DEV
2023-09-29T21:42:00.243414+00:00 <server> sshd[103427]: debug1: compat_banner: no match: libssh2_1.9.0_DEV
2023-09-29T21:42:00.247947+00:00 <server> sshd[103427]: debug1: permanently_set_uid: 107/65534 [preauth]
2023-09-29T21:42:00.249520+00:00 <server> sshd[103427]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256 [preauth]
2023-09-29T21:42:00.250432+00:00 <server> sshd[103427]: debug1: SSH2_MSG_KEXINIT sent [preauth]
2023-09-29T21:42:00.445448+00:00 <server> sshd[103427]: debug1: SSH2_MSG_KEXINIT received [preauth]
2023-09-29T21:42:00.446895+00:00 <server> sshd[103427]: debug1: kex: algorithm: curve25519-sha256@libssh.org [preauth]
2023-09-29T21:42:00.447669+00:00 <server> sshd[103427]: debug1: kex: host key algorithm: (no match) [preauth]         <=== ***** =====
2023-09-29T21:42:00.448877+00:00 <server> sshd[103427]: Unable to negotiate with <IP> port 22502: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss [preauth]
damiencourousse commented 1 year ago

I found a workaround, on the server side, by enabling back RSA SHA-1:

# file /etc/ssh/sshd_config
...
HostKeyAlgorithms = +ssh-rsa
PubkeyAcceptedAlgorithms = +ssh-rsa

However, this setting reduces the security of communications over ssh.

I understand that a-shell uses libgit2 for an implementation of git, which relies on libssh2. And libssh2 has a reduced set of supported key formats and exchange protocols wrt. other ssh implementations. What is the version of libssh2 embedded in a-Shell?

holzschu commented 1 year ago

I believe that is libssh2 version 1.9.0, and openSSL version 1.1.1k

damiencourousse commented 1 year ago

Thank you Nicolas.

A suitable solution is:

  1. on the server side, add an ED25519 key, which on Debian is already created in /etc/ssh.

    # File: /etc/ssh/sshd_config
...
HostKey /etc/ssh/ssh_host_ed25519_key

  2. On the client / mobile side, create an ED25519 key (or one of the other key formats supported by libssh2: https://libssh2.org), and declare it in ~/Documents/.ssh/konfig, or ~/Documents/.gitconfig, or ~/.../<repo>/.git/config.

Note that libssh2 supports RSA-SHA2 since version 1.11.0. Upgrading to this version would be neat :).