Re: [jgit-dev] SSH RSA/DSA support broken on 5.0

[Duft Markus <Markus.Duft@xxxxxxxxxxxxxxxx>]

Ah, I found the place where the signatures are set in the config. It’s at the top in JSch.java – nobody sets up ‘ssh-rsa’ and ‘ssh-dsa’ – instead it’s called ‘signature.rsa’ (…) – I don’t think it is valid to just copy HostKeyAlgoritms to CheckSignatures without any processing… K Ideas?

 

Cheers,

Markus

 

From: jgit-dev-bounces@xxxxxxxxxxx [mailto:jgit-dev-bounces@xxxxxxxxxxx] On Behalf Of Duft Markus
Sent: Wednesday, August 8, 2018 9:57 AM
To: JGit Developers list (jgit-dev@xxxxxxxxxxx) <jgit-dev@xxxxxxxxxxx>
Subject: [jgit-dev] SSH RSA/DSA support broken on 5.0

 

Hey,

 

Since this change https://git.eclipse.org/r/#/c/124251/2/org.eclipse.jgit/src/org/eclipse/jgit/transport/JschConfigSessionFactory.java SSH RSA and DSA support seems broken. We have a .ssh/config which looks like this:

 

Host git.ssi-schaefer.com

    Protocol 2

    HostKeyAlgorithms ssh-rsa,ssh-dss

 

Trying to clone with JGit from our Gerrit gives:

 

[….]

Caused by: org.eclipse.jgit.errors.TransportException: ssh://git.ssi-schaefer.com:2501/products/wamas: There are not any available sig algorithm.

    at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:183)

    at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:140)

    at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:280)

    at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:170)

    at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:137)

    at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:123)

    at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1271)

    at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:243)

    ... 6 more

Caused by: com.jcraft.jsch.JSchException: There are not any available sig algorithm.

    at com.jcraft.jsch.Session.send_kexinit(Session.java:648)

    at com.jcraft.jsch.Session.connect(Session.java:307)

    at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:137)

    ... 13 more

 

I debugged this a little. It seems that since the above change, “HostKeyAlgorithm” config is copied to “CheckSignatures” config value in the session. Now Session.class (line 2561) has this code:

 

    java.util.Vector result=new java.util.Vector();

    String[] _sigs=Util.split(sigs, ",");

    for(int i=0; i<_sigs.length; i++){

      try{     

        Class c=Class.forName((String)jsch.getConfig(_sigs[i]));

        final Signature sig=(Signature)(c.newInstance());

        sig.init();

      }

      catch(Exception e){

        result.addElement(_sigs[i]);

      }

   }

 

As you can see it tries to query a class name for the all given algorithms in CheckSignatures. This works (don’t know why) for instance for “jsch.getConfig("ecdsa-sha2-nistp256")” – which yields com.jcraft.jsch.jce.SignatureECDSA – but not for “ssh-rsa”, “rsa” or anything else I tried… Amy I doing something wrong? Is there configuration I’m not aware of?

 

Cheers,

Markus

 

 

--

Mit freundlichen Grüßen / Best regards

 

Markus Duft | Software Architect

SSI SCHÄFER | SSI Schäfer IT Solutions GmbH | Friesachstraße 15 | 8114 Friesach bei Graz | Austria

Phone +43 3127 200-575 | Fax +43 3127 200-22

markus.duft@xxxxxxxxxxxxxxxx

Website | Blog | YouTube | Facebook

 

SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz

SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz