Failing authentication while running any `jj git ...` command in a azure devops project

[daynin]

Description

Steps to Reproduce the Problem

1. Create any repo in azure devops
2. Generate any rsa key (compatible with azure devops)
3. Clone project using git
4. Init jj in the project
5. Try to push any branch or do fetch

Expected Behavior

It works

Actual Behavior

Branch changes to push to origin:
  Add branch fix/35562 to 282e3b463fce
Error: remote: Public key authentication failed.
; class=Ssh (23); code=Eof (-20)
Hint: Jujutsu uses libssh2, which doesn't respect ~/.ssh/config. Does `ssh -F /dev/null` to the host work?

Specifications

• Platform: Linux fedora 6.9.5-200.fc40.x86_64
• Version: 0.18.0-6ae4f45838318e3844cdb2ea3bab92d9815a43dc

[martinvonz]

Is ssh -F /dev/null able to connect to the host? Does jj git push --debug give any useful hints?

[daynin]

I'm not sure how to test it with ssh -F /dev/null, But here's debug:

2024-06-26T10:49:49.494984Z  INFO jj_cli::cli_util: debug logging enabled
2024-06-26T10:49:49.545369Z DEBUG run_command:cmd_git_fetch{args=FetchArgs { branch: [Glob(Pattern { original: "*", tokens: [AnySequence], is_recursive: false })], remotes: [], all_remotes: false }}:workspace_helper:maybe_snapshot:import_git_refs:import_head_commits: jj_lib::git_backend: import extra metadata entries heads_count=3
2024-06-26T10:49:49.592288Z DEBUG run_command:cmd_git_fetch{args=FetchArgs { branch: [Glob(Pattern { original: "*", tokens: [AnySequence], is_recursive: false })], remotes: [], all_remotes: false }}:fetch{remote_name="origin" branch_names=[Glob(Pattern { original: "*", tokens: [AnySequence], is_recursive: false })] git_settings=GitSettings { auto_local_branch: false, abandon_unreachable_commits: true }}: jj_lib::git: remote.download
2024-06-26T10:49:50.056636Z  INFO run_command:cmd_git_fetch{args=FetchArgs { branch: [Glob(Pattern { original: "*", tokens: [AnySequence], is_recursive: false })], remotes: [], all_remotes: false }}:fetch{remote_name="origin" branch_names=[Glob(Pattern { original: "*", tokens: [AnySequence], is_recursive: false })] git_settings=GitSettings { auto_local_branch: false, abandon_unreachable_commits: true }}: jj_lib::git: trying ssh_key_from_agent username="git"
Error: remote: Public key authentication failed.
; class=Ssh (23); code=Eof (-20)
Hint: Jujutsu uses libssh2, which doesn't respect ~/.ssh/config. Does `ssh -F /dev/null` to the host work?

I don't have a config file for ssh, so I'm not sure it can affect it somehow. I see that it tries to use a key of "git" user from ssh-agent. Maybe jj doesn't have some rights (I installed it via nix)?

[daynin]

I tried to install it from cargo. Looks like it has the same error so it's not because of nix

[martinvonz]

I'm not sure how to test it with ssh -F /dev/null,

For example, my remote is git@github.com:martinvonz/jj.git and I can test it with ssh -F /dev/null git@github.com. You can add -vv if you want more output.

[daynin]

Got it, thanks!

Here the output:

OpenSSH_9.6p1, OpenSSL 3.2.1 30 Jan 2024
debug1: Reading configuration data /dev/null
debug2: resolving "ssh.dev.azure.com" port 22
debug1: Connecting to ssh.dev.azure.com [191.235.226.19] port 22.
debug1: Connection established.
debug1: identity file /home/sgolovin/.ssh/id_rsa type 0
debug1: identity file /home/sgolovin/.ssh/id_rsa-cert type -1
debug1: identity file /home/sgolovin/.ssh/id_ecdsa type -1
debug1: identity file /home/sgolovin/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/sgolovin/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/sgolovin/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/sgolovin/.ssh/id_ed25519 type -1
debug1: identity file /home/sgolovin/.ssh/id_ed25519-cert type -1
debug1: identity file /home/sgolovin/.ssh/id_ed25519_sk type -1
debug1: identity file /home/sgolovin/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/sgolovin/.ssh/id_xmss type -1
debug1: identity file /home/sgolovin/.ssh/id_xmss-cert type -1
debug1: identity file /home/sgolovin/.ssh/id_dsa type -1
debug1: identity file /home/sgolovin/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.6
debug1: Remote protocol version 2.0, remote software version SSHBlackbox.10
debug1: compat_banner: no match: SSHBlackbox.10
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to ssh.dev.azure.com:22 as 'git'
debug1: load_hostkeys: fopen /home/sgolovin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256
debug2: host key algorithms: ssh-rsa,rsa-sha2-256,rsa-sha2-512
debug2: ciphers ctos: aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes256-ctr
debug2: ciphers stoc: aes256-cbc,aes192-cbc,aes128-cbc,aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-256,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256,hmac-sha2-512
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_GROUP received
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: SSH2_MSG_KEX_DH_GEX_REPLY received
debug1: Server host key: ssh-rsa SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og
debug1: load_hostkeys: fopen /home/sgolovin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'ssh.dev.azure.com' is known and matches the RSA host key.
debug1: Found key in /home/sgolovin/.ssh/known_hosts:1
debug2: bits set: 977/2048
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-rsa,rsa-sha2-256,rsa-sha2-512>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: /home/sgolovin/.ssh/id_rsa RSA SHA256:yc5MSq/mFEs8buzHYrxDi0vJICE1NwiBVfzULD4lYa4 agent
debug1: Will attempt key: sergey.golovin@protonmail.com RSA SHA256:N6LsE8gUySGTdAc66upNn8SKD3yvZlvQDztikD34Jqw agent
debug1: Will attempt key: /home/sgolovin/.ssh/id_ecdsa
debug1: Will attempt key: /home/sgolovin/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/sgolovin/.ssh/id_ed25519
debug1: Will attempt key: /home/sgolovin/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/sgolovin/.ssh/id_xmss
debug1: Will attempt key: /home/sgolovin/.ssh/id_dsa
debug2: pubkey_prepare: done
debug1: Offering public key: /home/sgolovin/.ssh/id_rsa RSA SHA256:yc5MSq/mFEs8buzHYrxDi0vJICE1NwiBVfzULD4lYa4 agent
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: /home/sgolovin/.ssh/id_rsa RSA SHA256:yc5MSq/mFEs8buzHYrxDi0vJICE1NwiBVfzULD4lYa4 agent
Authenticated to ssh.dev.azure.com ([191.235.226.19]:22) using "publickey".
debug1: pkcs11_del_provider: called, provider_id = (null)
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug2: channel 0: send open
debug1: Entering interactive session.
debug1: pledge: filesystem
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug2: channel 0: request shell confirm 1
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 65536 rmax 16384
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd ext data 39
debug2: channel_input_status_confirm: type 100 id 0
shell request failed on channel 0

[daynin]

And jj perfectly works with github using same keys

[martinvonz]

IIUC, this is resolved now (somehow), but feel free to reopen otherwise.

[daynin]

Sorry, but it didn't. It works for github, but doesn't work for azure

(looks like I can't reopen the issue)

[martinvonz]

Just to make sure, does git clone <URL> work where jj git clone <URL> does not work?

[daynin]

Yes, that's correct. But it's true only for azure repos, not for github ones

[daynin]

And one more thing. When I tried to clone a repo I got another error:

2024-06-27T13:52:22.063433Z  INFO jj_cli::cli_util: debug logging enabled
2024-06-27T13:52:22.064569Z  INFO run_command:build_index_segments_at_operation{operation=Operation { id: OperationId("00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") }}: jj_lib::default_index::store: indexing commits reachable from historical heads maybe_parent_file=None heads_count=0
2024-06-27T13:52:22.064629Z  INFO run_command:build_index_segments_at_operation{operation=Operation { id: OperationId("00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") }}: jj_lib::default_index::store: saved new index file index_file=ReadonlyIndexSegment { name: "945dbeaeaa7445dbea7fe55bb62f1530cba6528bb0a68ff2e0acdf3469081e97ec5b4da1e48fe43fa5f4df5eb2444b9dcdcc26d871364f708a08698da842edca", parent_file: None } commits_count=0
Fetching into new repo in "/home/sgolovin/Documents/projects/dbmAdmin"
2024-06-27T13:52:22.071722Z DEBUG run_command:fetch{remote_name="origin" branch_names=[Substring("")] git_settings=GitSettings { auto_local_branch: false, abandon_unreachable_commits: true }}: jj_lib::git: remote.download
2024-06-27T13:52:22.572859Z  INFO run_command:fetch{remote_name="origin" branch_names=[Substring("")] git_settings=GitSettings { auto_local_branch: false, abandon_unreachable_commits: true }}: jj_lib::git: trying ssh_key_from_agent username="git"
2024-06-27T13:52:22.609808Z  INFO run_command:fetch{remote_name="origin" branch_names=[Substring("")] git_settings=GitSettings { auto_local_branch: false, abandon_unreachable_commits: true }}:get_ssh_keys{_username="git"}: jj_cli::git_util: found ssh key path="/home/sgolovin/.ssh/id_rsa"
2024-06-27T13:52:22.609875Z  INFO run_command:fetch{remote_name="origin" branch_names=[Substring("")] git_settings=GitSettings { auto_local_branch: false, abandon_unreachable_commits: true }}: jj_lib::git: trying ssh_key username="git" path="/home/sgolovin/.ssh/id_rsa"
Error: remote: Command git-upload-pack: You’re using ssh-rsa that is about to be deprecated and your request has been blocked intentionally. Any SSH session using SSH-RSA is subject to brown out (failure during random time periods). Please use rsa-sha2-256 or rsa-sha2-512 instead. For more details see https://aka.ms/ado-ssh-rsa-deprecation.
remote: ERROR_SSH_UNSUPPORTED_CIPHER (7)
; class=Ssh (23); code=Eof (-20)
Hint: Jujutsu uses libssh2, which doesn't respect ~/.ssh/config. Does `ssh -F /dev/null` to the host work?

It says that I use ssh-rsa, but I'm sure I use rsa-sha2-512 because I generated it just for test cloning. I used ssh-keygen -t rsa-sha2-512 comand to generate the key