SSH connection to Gerrit version 3.4.1

[Guy Levkowitz]

Hi,

we have upgrade our test server from Gerrit 3.3.3 to 3.4.1  and we have issue with SSH version when working with old OpenSSH version - as i check when try to SSH via OpenSSH_4.X.X  and older I get below error "no kex alg " : 

Lnx50UsrCmp5 020% ssh -v -p 29418 gerrit-gpfs gerrit ls-projects

OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Connecting to gerrit-gpfs [192.168.121.82] port 29418.

debug1: Connection established.

debug1: identity file /u/guylevk/.ssh/identity type -1

debug1: identity file /u/guylevk/.ssh/id_rsa type 1

debug1: identity file /u/guylevk/.ssh/id_dsa type -1

debug1: loaded 3 keys

debug1: Remote protocol version 2.0, remote software version GerritCodeReview_3.4.1 (APACHE-SSHD-2.6.0)

debug1: no match: GerritCodeReview_3.4.1 (APACHE-SSHD-2.6.0)

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_4.3

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-sha1 none

debug1: kex: client->server aes128-cbc hmac-sha1 none

no kex alg  

Unlike from newer version of OpenSSH_X.X for example: 

lnx70usrcmp 1001% ssh -v -p 29418 gerrit-gpfs gerrit ls-projects  | grep fw1

OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 56: Applying options for *

debug1: Connecting to gerrit-gpfs [192.168.121.82] port 29418.

debug1: Connection established.

debug1: identity file /u/guylevk/.ssh/id_rsa type 1

debug1: identity file /u/guylevk/.ssh/id_rsa-cert type -1

debug1: identity file /u/guylevk/.ssh/id_dsa type -1

debug1: identity file /u/guylevk/.ssh/id_dsa-cert type -1

debug1: identity file /u/guylevk/.ssh/id_ecdsa type -1

debug1: identity file /u/guylevk/.ssh/id_ecdsa-cert type -1

debug1: identity file /u/guylevk/.ssh/id_ed25519 type -1

debug1: identity file /u/guylevk/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.6.1

debug1: Remote protocol version 2.0, remote software version GerritCodeReview_3.4.1 (APACHE-SSHD-2.6.0)

debug1: no match: GerritCodeReview_3.4.1 (APACHE-SSHD-2.6.0)

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-s...@openssh.com none

debug1: kex: client->server aes128-ctr hmac-s...@openssh.com none

debug1: kex: ecdh-sha2-nistp256 need=20 dh_need=20

debug1: kex: ecdh-sha2-nistp256 need=20 dh_need=20

debug1: sending SSH2_MSG_KEX_ECDH_INIT

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ECDSA dd:20:94:ac:c7:56:d3:24:a9:2e:0e:c9:c4:ef:e4:eb

debug1: Host '[gerrit-gpfs]:29418' is known and matches the ECDSA host key.

debug1: Found key in /u/guylevk/.ssh/known_hosts:29

debug1: ssh_ecdsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /u/guylevk/.ssh/id_rsa

debug1: Server accepts key: pkalg ssh-rsa blen 279

debug1: key_parse_private2: missing begin marker

debug1: read PEM private key done: type RSA

debug1: Authentication succeeded (publickey).

Authenticated to gerrit-gpfs ([192.168.121.82]:29418).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: Sending environment.

debug1: Sending env LANG = C

debug1: Sending command: gerrit ls-projects

fw_lx

fw_lww

debug1: client_input_channel_req: channel 0 rtype exit-status reply 0

debug1: channel 0: free: client-session, nchannels 1

debug1: fd 1 clearing O_NONBLOCK

Transferred: sent 3332, received 3064 bytes, in 1.6 seconds

Bytes per second: sent 2118.5, received 1948.1

debug1: Exit status 0

Is there any option that we can define in Gerrit to have backward combability ?   

Need your help with this one 

thanks

Guy

[Luca Milanesio]

On 24 Nov 2021, at 11:42, Guy Levkowitz <sil...@gmail.com> wrote:

Hi,

we have upgrade our test server from Gerrit 3.3.3 to 3.4.1  and we have issue with SSH version when working with old OpenSSH version - as i check when try to SSH via OpenSSH_4.X.X  and older I get below error "no kex alg " : 

I believe that could be caused by an SSHD upgrade (see [1]).

Have you checked the Apache Mina SSHD release notes? (See [2]).

HTH

Luca.

[1] https://www.gerritcodereview.com/3.4.html#other-dependency-changes

[2] https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310849&version=12348366

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/cf326d77-656b-4123-8136-66c707233ce2n%40googlegroups.com.

[Guy Levkowitz]

Is there any option for backward capability , I have try : 

https://git.eclipse.org/r/Documentation/config-gerrit.html

sshd.backend 

backend = MINA

but it still get the same error.

Any other option rather than upgrade the OPENSSH version on our server ? 

ב-יום רביעי, 24 בנובמבר 2021 בשעה 22:09:48 UTC+2, lucamilanesio כתב/ה:

[Thomas Wolf]

Try sshd.enableDeprecatedKexAlgorithms.[1] You don't see that on the Eclipse Gerrit because that runs 3.2.7, but 3.4.1 should have it.

[1] https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#sshd.enableDeprecatedKexAlgorithms

[Guy Levkowitz]

Hi,

I have added this line under the sshd option in the gerrit.config: 

enableDeprecatedKexAlgorithms = true

now all works fine

the questing is in the link below: 
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#sshd.enableDeprecatedKexAlgorithms

It is strongly recommended to disable at least diffie-hellman-group1-sha1 as it’s known to be vulnerable (logjam attack). Additionally, if your setup allows for it, it is recommended to disable the remaining two sha1 key exchange algorithms. 

how can i disable specify deprecated kex algorithms in the gerrit.config file ? 

ב-יום שישי, 26 בנובמבר 2021 בשעה 09:25:33 UTC+2, Thomas Wolf כתב/ה:

[Thomas Wolf]

On Tuesday, November 30, 2021 at 2:59:32 PM UTC+1 sil...@gmail.com wrote:

the questing is in the link below: 
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#sshd.enableDeprecatedKexAlgorithms

It is strongly recommended to disable at least diffie-hellman-group1-sha1 as it’s known to be vulnerable (logjam attack). Additionally, if your setup allows for it, it is recommended to disable the remaining two sha1 key exchange algorithms. 

how can i disable specify deprecated kex algorithms in the gerrit.config file ? 

Presumably with the sshd.kex setting, where that sentence comes from? Does kex = -diffie-hellman-group1-sha1 not work?

I suppose that section could be phrased better. The SHA-1 algorithms _are_ supported, but they are disabled by default. Once they're enabled, I would expect that you can use sshd.kex to disable more selectively.

Cheers,

  Thomas