19

Environment:

OS: Windows-10
Git Bash Version: 2.33.1
OpenSSH_8.8p1, OpenSSL 1.1.1l  24 Aug 2021
$ which ssh
 /usr/bin/ssh

SSH connection to Gerrit Error:-

$ ssh -p 29418 user@gerrit.example.com

Unable to negotiate with gerrit.example.com port 29418: no matching host key type found. Their offer: ssh-rsa,ssh-dss

In Git-2.32.0 ssh connection to gerrit works. Is there any restriction enabled in latest git version?

user4948798
  • 1,924
  • 4
  • 43
  • 89
  • It looks like the latest version of git is deprecating insecure algorithms and your Gerrit instance is unable to connect with more modern options – jessehouwing Oct 21 '21 at 06:25
  • This is not a problem with git. You have better chances to find a solution when you search for "ssh". – j6t Oct 21 '21 at 07:58

3 Answers3

38

Git For Windows 2.33.1 comes with OpenSSH 8.8 which disables RSA signatures using the SHA-1 hash algorithm by default.

For most users, this change should be invisible and there is no need to replace ssh-rsa keys.
OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible.

Incompatibility is more likely when connecting to older SSH implementations that have not been upgraded or have not closely tracked improvements in the SSH protocol.

For these cases, it may be necessary to selectively re-enable RSA/SHA1 to allow connection and/or user authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms options.
For example, the following stanza in ~/.ssh/config will enable RSA/SHA1 for host and user authentication for a single destination host:

Host old-host
   HostkeyAlgorithms +ssh-rsa
   PubkeyAcceptedAlgorithms +ssh-rsa

Note: Git for Windows 2.34.0 does not bring any new element/evolution on the SSH front.

Stefan Prodan (DX @weaveworks, creator of http://flagger.app and maintainer of http://fluxcd.io) mentions in this tweet:

GitHub has changed its host keys

If you're using @fluxcd please see here how to update the known hosts keys on your Kubernetes clusters.

Stefan refers to fluxcd/flux2 discussion 2097:

GitHub has changed its SSH host keys from RSA to ECDSA!

To fix the key mismatch error, you have two options:

  1. Update the known_hosts in the flux-system secret with the ecdsa-sha2-nistp25 value:

github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=

  1. Or rotate the SSH keys with flux boostrap like so:
  • delete the deploy key secret from your cluster kubectl -n flux-system delete secret flux-system
  • rerun flux bootstrap github with the same arguments as before

Flux will generate the secret with ecdsa-sha2 SSH key and Host key

More details on fluxcd/source-controller#490

Note: since Jan. 2022, the GitHub SSH Host key are available through a metadata endpoint api.github.com/meta.
That includes the github.com ecdsa-sha2-nistp256 value.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • `~/.ssh/config` method also doesn't work. Still same error persisting. Even in `Git Windows - 2.34.0` version also same issue. – user4948798 Nov 16 '21 at 10:33
  • Just for testing, would an older version of Git work better? (2.30 for instance?) – VonC Nov 16 '21 at 10:35
  • Yes until this `Git Client version for Windows -2.32.0` it is working fine. – user4948798 Nov 16 '21 at 10:38
  • @user4948798 Is it possible that it is using the wrong SSH? (Windows instead of Git packaged SSH: https://github.com/git-for-windows/build-extra/pull/367) – VonC Nov 16 '21 at 11:01
  • @user4948798 I believe I have found a possible solution: see my edited answer and update your client `~/.ssh/known_hosts` as detailed in said answer. – VonC Nov 16 '21 at 20:56
  • Additionally added `Port 29418` in the `~/.ssh/config` it is working. Thanks a lot. – user4948798 Nov 17 '21 at 06:12
  • @user4948798 Perfect, well done! – VonC Nov 17 '21 at 06:30
  • @VonC How did you get the value of ecdsa-sha2-nistp256? – Raulp Jan 25 '22 at 04:23
  • @Raulp https://github.blog/changelog/githubs-ssh-host-keys-are-now-published-in-the-api/ and https://api.github.com/meta – VonC Jan 25 '22 at 07:11
10

Facing the same problem. The solution is to add the following to ~/.ssh/config

HostkeyAlgorithms +ssh-rsa    
PubkeyAcceptedAlgorithms +ssh-rsa

Cannot have Host as in the accepted answer. Must be exactly as above. I guess each server may be configured in different ways and individual may have to experiment.

toddwz
  • 521
  • 4
  • 9
  • 1
    For git for Windows this lives in `%USERPROFILE%\.ssh\config` – QuiOui Sep 18 '22 at 22:42
  • I've confirmed this works on Git 2.39.1.windows.1. Both lines must be added to the top of .ssh/config as opposed to a host configuration. – rucamzu Jan 17 '23 at 21:59
  • This is not a good (long-term) solution since it weakens encryption. ["It is now possible to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K."](https://www.openssh.com/txt/release-8.2). The correct solution is to switch to a different signature algorithm. – balu Apr 13 '23 at 22:18
  • Works for me in my WSL2. – MadHatter Apr 14 '23 at 06:46
1

This thread was recommended to me as I was facing the same issue but was not using gerrit.

I tried using the answered solution but it didn't work for me.

So for anyone in the same situation, adding just the below line in ~/.ssh/config did resolve the issue for me.

HostkeyAlgorithms +ssh-rsa
Saurabh Misra
  • 491
  • 7
  • 14
  • This is not a good (long-term) solution since it weakens encryption. See my comment on toddwz's answer. – balu Apr 13 '23 at 22:18