Move to Mina SSHD backend prevents JSch clients from connecting

87 views
Skip to first unread message

George Joseph

unread,
Jun 7, 2021, 1:59:38 PM6/7/21
to Repo and Gerrit Discussion

I can't seem to create a new issue at https://bugs.chromium.org/p/gerrit/issues/list but here's the deal...

*************************************************************************
***       !!!! THIS BUG TRACKER IS FOR GERRIT CODE REVIEW !!!!
*** Do not submit bugs for chrome/android and issues with your company's
*** Gerrit setup here. Those issues belong in different issue trackers.
*************************************************************************

Affected Version: 3.4.0

What steps will reproduce the problem?
1. Attempt to access gerrit sshd using a JSch client.
2.
3.

What is the expected output?

[sshd-SshDaemon[61186191](port=22)-nio2-thread-4] jira a/1000185 LOGIN FROM x.x.x.x

What do you see instead?
From Wireshark..
Key Exchange Init from Gerrit with ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256

Key Exchange Init from JSCH with diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1

Disconnect from Gerrit
Disconnect from JSch

Please provide any additional information below.

We discovered this issue when, after upgrading to 3.4.0, our integration from Jira to Gerrit no longer retrieved any reviews.  The plugin we use is at https://github.com/MeetMe/jira-gerrit-plugin

Basically JSch clients are no longer supported.  This would have been fine with a little notice but the release notes for 3.4.0 just said...

"Deprecated JCraft JSch client library is replaced with MINA SSHD client library per default. There is still option to switch to using JCraft JSch client library. Support for JCraft JSch will be removed in the next gerrit release."

...without any mention of the implications.  Also, the option to switch back to JSch seems to be non-functional.  Setting ssh.clientImplementation to JSCH seems to do nothing and there's doesn't seem to be a similar option for sshd.

The documentation at https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#sshd also seems to be incorrect in that it lists both diffie-hellman-group1-sha1 and diffie-hellman-group-exchange-sha1 as supported but attempting to use them results in...

 ERROR com.google.gerrit.sshd.SshDaemon : sshd.kex = diffie-hellman-group1-sha1 unsupported; only ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group-exchange-sha256, diffie-hellman-group18-sha512, diffie-hellman-group17-sha512, diffie-hellman-group16-sha512, diffie-hellman-group15-sha512, diffie-hellman-group14-sha256 is supported

David Ostrovsky

unread,
Jun 8, 2021, 12:45:31 AM6/8/21
to Repo and Gerrit Discussion
gjo...@sangoma.com schrieb am Montag, 7. Juni 2021 um 19:59:38 UTC+2:

I can't seem to create a new issue at https://bugs.chromium.org/p/gerrit/issues/list but here's the deal...


I've noticed your comment on this issue: [1] and wrote another issue: [2].
This CL should fix it: [3]. I added new configuration option to re-enabled
deprecated kex algorithms: sshd.enableDeprecatedKexAlgorithms = true

David Ostrovsky

unread,
Jun 8, 2021, 2:05:46 AM6/8/21
to Repo and Gerrit Discussion
David Ostrovsky schrieb am Dienstag, 8. Juni 2021 um 06:45:31 UTC+2:
gjo...@sangoma.com schrieb am Montag, 7. Juni 2021 um 19:59:38 UTC+2:

I can't seem to create a new issue at https://bugs.chromium.org/p/gerrit/issues/list but here's the deal...


I've noticed your comment on this issue: [1] and wrote another issue: [2].
This CL should fix it: [3]. I added new configuration option to re-enabled
deprecated kex algorithms: sshd.enableDeprecatedKexAlgorithms = true


I also mentioned this regression in 3.4 release notes: [4].

George Joseph

unread,
Jun 8, 2021, 4:11:22 PM6/8/21
to Repo and Gerrit Discussion
Thanks David!    I'll apply the patch and give a try in the next day or so.
Reply all
Reply to author
Forward
0 new messages