ssh authentication errors

127 views
Skip to first unread message

Paul Mena

unread,
May 10, 2022, 1:23:12 PM5/10/22
to Repo and Gerrit Discussion

A new user is attempting to do a “git clone” of a remote repository but can only do so from a Debian session. Ubuntu sessions throw a login error, and these messages appear in the log:

 

[2022-05-10 12:47:59,377] WARN  com.google.gerrit.sshd.GerritServerSession : Exception caught

java.lang.IllegalStateException: Unable to negociate key exchange for kex algorithms (client: curve25519-sha256,curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c / server: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1)

 

Is there an appropriate git syntax to get past this ssh roadlock?

 

Thanks again!

 

Paul

 

Paul Mena

Senior Application Administrator

Woods Hole Oceanographic Institution

Matthias Sohn

unread,
May 10, 2022, 6:03:42 PM5/10/22
to Paul Mena, Repo and Gerrit Discussion
On Tue, May 10, 2022 at 7:23 PM Paul Mena <pm...@whoi.edu> wrote:

A new user is attempting to do a “git clone” of a remote repository but can only do so from a Debian session. Ubuntu sessions throw a login error, and these messages appear in the log:

 

[2022-05-10 12:47:59,377] WARN  com.google.gerrit.sshd.GerritServerSession : Exception caught

java.lang.IllegalStateException: Unable to negociate key exchange for kex algorithms (client: curve25519-sha256,curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c / server: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1)

 

Is there an appropriate git syntax to get past this ssh roadlock?


use

$ ssh -p 29418 use...@gerrit.host -Q kex

to find out which kex algorithms your gerrit server version supports
 

Thanks again!

 

Paul

 

Paul Mena

Senior Application Administrator

Woods Hole Oceanographic Institution

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/MW5PR16MB459494FC1802C0105F6DA141CEC99%40MW5PR16MB4594.namprd16.prod.outlook.com.

Han-Wen Nienhuys

unread,
May 11, 2022, 4:27:10 AM5/11/22
to Matthias Sohn, Paul Mena, Repo and Gerrit Discussion
On Wed, May 11, 2022 at 12:03 AM Matthias Sohn <matthi...@gmail.com> wrote:
On Tue, May 10, 2022 at 7:23 PM Paul Mena <pm...@whoi.edu> wrote:

A new user is attempting to do a “git clone” of a remote repository but can only do so from a Debian session. Ubuntu sessions throw a login error, and these messages appear in the log:

 

[2022-05-10 12:47:59,377] WARN  com.google.gerrit.sshd.GerritServerSession : Exception caught

java.lang.IllegalStateException: Unable to negociate key exchange for kex algorithms (client: curve25519-sha256,curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c / server: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1)

 

Is there an appropriate git syntax to get past this ssh roadlock?


use

$ ssh -p 29418 use...@gerrit.host -Q kex

to find out which kex algorithms your gerrit server version supports

it's right there in the debug output: 
 server: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1)

 

OpenSSH has been fairly aggressive in deprecating algorithms. Two options: configure/recompile OpenSSH client to support the older kex, or upgrade Gerrit. I am not sure which version has the SSH upgrade that brings in newer algos though. Tweaking the client is probably less work, and if you're not on a NSA/CIA-level wanted list, the security should be fine.

--
Han-Wen Nienhuys - Google Munich
I work 80%. Don't expect answers from me on Fridays.

Antoine Musso

unread,
May 11, 2022, 5:54:40 AM5/11/22
to Paul Mena, Repo and Gerrit Discussion
Le 10/05/2022 à 19:22, Paul Mena a écrit :

A new user is attempting to do a “git clone” of a remote repository but can only do so from a Debian session. Ubuntu sessions throw a login error, and these messages appear in the log:

 

[2022-05-10 12:47:59,377] WARN  com.google.gerrit.sshd.GerritServerSession : Exception caught

java.lang.IllegalStateException: Unable to negociate key exchange for kex algorithms (client: curve25519-sha256,curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c / server: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1)

Is there an appropriate git syntax to get past this ssh roadlock?

Hello,

OpenDev mentioned that with the OpenSSH that comes from Fedora and we have https://phabricator.wikimedia.org/T276486 . The workaround we have is to have have the client use in their ~/.ssh/config:

Host gerrit.example.org
    PubkeyAcceptedKeyTypes +ssh-rsa

The issue for Gerrit is https://bugs.chromium.org/p/gerrit/issues/detail?id=13930 which has a fix named "Support ssh kex server-sig-algs for modern RSA clients" and an update of the SSH daemon.  Looks like the fixes will be released with Gerrit 3.6.


-- 
Antoine "hashar" Musso
Release Engineering
Reply all
Reply to author
Forward
0 new messages