Re: [jgit-dev] SSH RSA/DSA support broken on 5.0

[Thomas Wolf <thomas.wolf@xxxxxxxxxx>]

On Aug 8, 2018, at 10:02, Duft Markus <Markus.Duft@xxxxxxxxxxxxxxxx> wrote:

Ah, I found the place where the signatures are set in the config. It’s at the top in JSch.java – nobody sets up ‘ssh-rsa’ and ‘ssh-dsa’ – instead it’s called ‘signature.rsa’ (…) – I don’t think it is valid to just copy HostKeyAlgoritms to CheckSignatures without any processing… K Ideas?

This is a bug in JSch. ssh-rsa and ssh-dss are not bound to any algorithms. So if you specify HostKeyAlgorithms like that, JSch concludes none of the algorithms you specified to be used were available.

Copying the HostKeyAlgorithms over to CheckSignatures is valid. JGit checks all those from CheckSignatures and returns the ones not available. If those are all that you specified in HostKeyAlgorithms, JGit will conclude that none of the algorithms you specified were available and throw the exception. So even if we merged the HostKeyAlgorithms with the default CheckSignatures, JSch would still conclude that "ssh-rsa,ssh-dss" were unavailable and with HostKeyAlgorithms "ssh-rsa,ssh-dss" would give you the exception.

It worked before the change because we left the CheckSignatures alone. So JSch checked its three built-in algorithms (ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521) and returned an empty set of unavailable algorithms. It then *never checked at all* whether ssh-rsa or ssh-dss were available but happily continued. Later on in KeyExchange.verify() it would then use the algorithm "signature.rsa" for "ssh-rsa" and "signature.dss" for "ssh-dss".

The only fix I see is to define ssh-rsa and ssh-dss for JSch:

  JSch.setConfig("ssh-rsa", JSch.getConfig("signature.rsa"));

  JSch.setConfig("ssh-dss", JSch.getConfig("signature.dss"));

I really wish we used some other ssh library. :-(

I've created https://bugs.eclipse.org/bugs/show_bug.cgi?id=537790 for this.

Cheers,

  Thomas

Cheers,

Markus

 

From: jgit-dev-bounces@xxxxxxxxxxx [mailto:jgit-dev-bounces@xxxxxxxxxxx] On Behalf Of Duft Markus
Sent: Wednesday, August 8, 2018 9:57 AM
To: JGit Developers list (jgit-dev@xxxxxxxxxxx) <jgit-dev@xxxxxxxxxxx>
Subject: [jgit-dev] SSH RSA/DSA support broken on 5.0

 

Hey,

 

Since this change https://git.eclipse.org/r/#/c/124251/2/org.eclipse.jgit/src/org/eclipse/jgit/transport/JschConfigSessionFactory.java SSH RSA and DSA support seems broken. We have a .ssh/config which looks like this:

 

Host git.ssi-schaefer.com

    Protocol 2

    HostKeyAlgorithms ssh-rsa,ssh-dss

 

Trying to clone with JGit from our Gerrit gives:

 

[….]

Caused by: org.eclipse.jgit.errors.TransportException: ssh://git.ssi-schaefer.com:2501/products/wamas: There are not any available sig algorithm.

    at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:183)

    at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:140)

    at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:280)

    at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:170)

    at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:137)

    at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:123)

    at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1271)

    at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:243)

    ... 6 more

Caused by: com.jcraft.jsch.JSchException: There are not any available sig algorithm.

    at com.jcraft.jsch.Session.send_kexinit(Session.java:648)

    at com.jcraft.jsch.Session.connect(Session.java:307)

    at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:137)

    ... 13 more

 

I debugged this a little. It seems that since the above change, “HostKeyAlgorithm” config is copied to “CheckSignatures” config value in the session. Now Session.class (line 2561) has this code:

 

    java.util.Vector result=new java.util.Vector();

    String[] _sigs=Util.split(sigs, ",");

    for(int i=0; i<_sigs.length; i++){

      try{      

        Class c=Class.forName((String)jsch.getConfig(_sigs[i]));

        final Signature sig=(Signature)(c.newInstance());

        sig.init();

      }

      catch(Exception e){

        result.addElement(_sigs[i]);

      }

   }

 

As you can see it tries to query a class name for the all given algorithms in CheckSignatures. This works (don’t know why) for instance for “jsch.getConfig("ecdsa-sha2-nistp256")” – which yields com.jcraft.jsch.jce.SignatureECDSA – but not for “ssh-rsa”, “rsa” or anything else I tried… Amy I doing something wrong? Is there configuration I’m not aware of?

 

Cheers,

Markus

 

 

--

Mit freundlichen Grüßen / Best regards

 

Markus Duft | Software Architect

SSI SCHÄFER | SSI Schäfer IT Solutions GmbH | Friesachstraße 15 | 8114 Friesach bei Graz | Austria 

Phone +43 3127 200-575 | Fax +43 3127 200-22

markus.duft@xxxxxxxxxxxxxxxx

Website | Blog | YouTube | Facebook

 

SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz

SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
_______________________________________________
jgit-dev mailing list
jgit-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jgit-dev