Question: SSH Support

[motowilliams]

There are a some issues and PRs that are closed merged but from the docs and SO questions there seems to be some confusion if this is actually a supported features or not. Would it be possible to have the docs updated to indicate as such?

[alex-weaver]

@ethomson Moving this discussion here to avoid polluting the other discussion: https://github.com/libgit2/libgit2sharp.nativebinaries/pull/77

SSH support is really important to my, and a lot of others' use cases, so it would be really good if there was a straightforward way to add SSH support even if it is not directly supported in the core libgit2sharp.

There are really 2 parts to this:

1. The library needs to be able to use native binaries that are built with ssh support. A possible solution here is dynamic linking so that users can provide their own binaries.
2. The library needs interfaces for constructing ssh credentials, and support for ssh:// urls. This can either be directly baked into the library, and fail unless the native binaries were build with SSH support, or the library can provide the necessary hooks so that an add-on library can introduce these. For an unmerged PR implementing the former, see https://github.com/libgit2/libgit2sharp/pull/1072

@ethomson You mentioned in the other thread the idea of using a managed SSH library - can you expand on how this might work? I can't see a way of doing this without modifying libgit2 itself but I may be missing something

[triynko]

Why is this happening when trying to connect to BitBucket server with LibGit2Sharp-SSH: "Failed to start SSH session: Unable to exchange encryption keys"? I have the latest version. I even had to hack the NuGet package, because it's locked into version 1.0.15 of the native binaries, even though 1.0.16 exist, which I only did in the off chance that there was something outdated about 1.0.15, but the same error persists even with the newest binaries (1.8.1.0). For some reason 1.0.15 was still using 1.7.0 binaries. Anyway, does anyone know why this error would occur? It's being returned from session.c's call to _libssh2_kex_exchange.

[alex-weaver]

@motowilliams @rotemwolfovich FYI since I needed an up to date build that supported SSH and worked on .NET Core on linux, I've got a build working in a fork here https://github.com/alex-weaver/libgit2sharp That fork is mainly intended to document how to build libgit2sharp with SSH support as much as anything. If you need SSH support, it should give you a good place to start.

@ethomson might a solution to the issue of not wanting to distribute a crypto library be to merge the code/build scripts to support SSH into the main repo, but hide it behind a feature flag in the build? This way the official nuget packages don't get SSH support, but users can easily build a version with SSH if they require one.

[ethomson]

might a solution to the issue of not wanting to distribute a crypto library be to merge the code/build scripts to support SSH into the main repo, but hide it behind a feature flag in the build? This way the official nuget packages don't get SSH support, but users can easily build a version with SSH if they require one.

Yes, I'm certainly open to this.

[smuda]

@alex-weaver I'm also interested in having SSH at least partially supported by libgit2sharp. Do you need any more hands on deck to get this going?

[felixfbecker]

While some may find it easy to build SSH support in a fork it is a big hurdle and not having it a showstopper for many use cases. It would be great to have something in this repo, even if it's a combination of loose code and docs on how to get it working, or maybe a separate NuGet package, or something that only works on .NET Core or whatever. Just anything approachable.

[julesbovet]

I agree with @felixfbecker, we have to use a custom fork of LibGit2Sharp-SSH in our company and we don't have the time to properly maintain it and merge new features into our fork. It really is a pain for us and we'd find it much easier to have it supported by this project, even if it requires custom building steps. Please think about it :)

[SaculRennorb]

quick question: did this ever get implemented?

I've been struggling for the past few days with building a ssh-enabled version, but never got it to work on platforms other than windows. There are loads of different forks wich probably worked one day but are wildly out of date. Not a single one currently even compiles without modification.

This would likely also help with #1727 since halve of the 3rd parties revolve around the ssh support.

[ghost]

@ethomson Could you please provide an update on SSH implementation status? I see that this topic is largely ignored.

Maybe there is another maintained C# wrapper for libgit2 around that you could recommend instead?

Thanks!

[InspiringCode]

I would also need SSH support very much to be able to connet to AzureDevops, which doesn't support alternate credentials anymore. Is there any alternative lib? Or are there any plans to support this?

[Kir-Antipov]

I can't really get why there's still no SSH support... The whole library is kinda meaningless when we still need horrible constructions like this:

Process.Start(new ProcessStartInfo
{
    WorkingDirectory = repository.Info.WorkingDirectory,
    FileName = "git",
    Arguments = "pull" // or "push"
}).WaitForExitAsync();

to invoke push or pull without worrying about HTTP 401...

we do not want to ship third-party crypto software in our packages

I don't think anyone here gives a single heck about one-two-ten third-party library(-ies) to make this work out-of-box ¯\(ツ)/¯

[ghost]

I don't think anyone here gives a single heck about one-two-ten third-party library(-ies) to make this work out-of-box

While I understand your concern (and we're also struggling without SSH support), I think it has to do with the Export Control.

@ethomson Maybe the library authors could still introduce SSH support but disable it by default, letting people who are willing to fork the library to enable it and deal with the Export Control within their organisations?

[ethomson]

It's not related to export control, it's about who deals with the security releases. If there's a major security vulnerability in libssh2, who's doing the work to get a new version of LibGit2Sharp updated with that new libssh2, notifying users, etc?

There's nobody to do that work. In fact, there's already not enough people pushing LibGit2Sharp forward. But without a commitment to security, introducing SSH support means that libssh2's patched CVEs become our unpatched, exploitable CVEs.

[ghost]

Makes sense, especially since there's still no update to libgit2 v1.0 and the project is kinda abandoned in general 😞