Uploaded image for project: 'JBoss BRMS Platform'
  1. JBoss BRMS Platform
  2. RHBRMS-243

git ssh issues with ssh-dss

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • 6.2.0
    • Business Central
    • None

    Description

      Description of problem:
      Some systems are not longer using ssh-dss by default, which results in some issues like:

      Client side:
      "[lazarotti@mackoy-note git-test]$ git clone ssh://lazarotti@localhost:8001/gss-repo
      Cloning into 'gss-repo'...
      Unable to negotiate with 127.0.0.1: no matching host key type found. Their offer: ssh-dss
      fatal: Could not read from remote repository."

      Server side:
      14:58:31,856 WARN [org.apache.sshd.server.session.ServerSession] (sshd-SshServer[847507d]-nio2-thread-2) Exception caught: java.lang.IllegalStateException: Unable to negotiate key exchange for server host key algorithms (client: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa / server: ssh-dss)
      at org.apache.sshd.common.session.AbstractSession.negotiate(AbstractSession.java:1109) [sshd-core-0.12.0.jar:0.12.0]
      at org.apache.sshd.common.session.AbstractSession.doHandleMessage(AbstractSession.java:357) [sshd-core-0.12.0.jar:0.12.0]
      at org.apache.sshd.common.session.AbstractSession.handleMessage(AbstractSession.java:295) [sshd-core-0.12.0.jar:0.12.0]

      ... while trying to clone a git repo from Business Central.
      As mentioned by https://issues.jboss.org/browse/ENTESB-4427 as a longer term solution we should start considering moving away from ssh-dss since according to http://www.openssh.com/legacy.html it's considered insecure, thus deprecated:

      > OpenSSH 7.0 and greater similarly disables the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.

      Version-Release number of selected component (if applicable):
      BRMS 6.2.0

      How reproducible:
      Always

      Steps to Reproduce:
      1. try to clone a project repository using standard Fedora 23.
      I know it is not supported for BRMS 6.2.0, but it is how RHEL will be work soon.

      Additional info:
      Also from ENTESB-4427:

      An immediate workaround is to alter the configuration of ssh client to accept that security configuration:
      ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PreferredAuthentications=password -oHostKeyAlgorithms=+ssh-dss -l admin -p 8101 localhost

      or:

      Host localhost
      VerifyHostKeyDNS no
      StrictHostKeyChecking no
      HostKeyAlgorithms +ssh-dss
      UserKnownHostsFile /dev/null
      can be added to ~/.ssh/config for a global configuration.

      Attachments

        Issue Links

          is caused by

          Bug - A problem that impairs or prevents the functions of the product. AF-309 git ssh issues with ssh-dss

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              abakos@redhat.com Alexandre Bakos
              rhn-support-alazarot Alessandro Lazarotti
              Archiver:
              rhn-support-ceverson Clark Everson
              Jiří Locker Jiří Locker
              Jiří Locker Jiří Locker
              Justin Holmes (Inactive)

              Dates

                Created:
                Updated:
                Resolved:
                Archived:

                PagerDuty