Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jgit-dev] JGit work with ecdsa-sha2-nistp256

On Mon, Aug 8, 2016 at 6:15 AM, Jack Yang <Jack.Yang@xxxxxxxxxxxxxx> wrote:

Hi,

My project depends on spring-cloud-config-server-1.1.2.RELEASE.jar and it is using JGit to load Spring config files from Git.

It works very well when Git server using ssh-rsa as cipher, but when Git ssh cipher is ecdsa-sha2-nistp256, it always report the error as below,

 

[Request processing failed; nested exception is java.lang.IllegalStateException: Cannot clone or checkout repository] with root cause

 

com.jcraft.jsch.JSchException: UnknownHostKey: XXX.XXX.com. RSA key fingerprint is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

         at com.jcraft.jsch.Session.checkHost(Session.java:786) ~[jsch-0.1.50.jar:na]

         at com.jcraft.jsch.Session.connect(Session.java:342) ~[jsch-0.1.50.jar:na]

         at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:116) ~[org.eclipse.jgit-3.5.3.201412180710-r.jar:3.5.3.201412180710-r]

         at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:136) ~[org.eclipse.jgit-3.5.3.201412180710-r.jar:3.5.3.201412180710-r]

         at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:262) ~[org.eclipse.jgit-3.5.3.201412180710-r.jar:3.5.3.201412180710-r]

         at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:161) ~[org.eclipse.jgit-3.5.3.201412180710-r.jar:3.5.3.201412180710-r]

         at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:136) ~[org.eclipse.jgit-3.5.3.201412180710-r.jar:3.5.3.201412180710-r]

         at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:122) ~[org.eclipse.jgit-3.5.3.201412180710-r.jar:3.5.3.201412180710-r]

         at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1115) ~[org.eclipse.jgit-3.5.3.201412180710-r.jar:3.5.3.201412180710-r]

         at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:130) ~[org.eclipse.jgit-3.5.3.201412180710-r.jar:3.5.3.201412180710-r]

         at org.eclipse.jgit.api.CloneCommand.fetch(CloneCommand.java:178) ~[org.eclipse.jgit-3.5.3.201412180710-r.jar:3.5.3.201412180710-r]

         at org.eclipse.jgit.api.CloneCommand.call(CloneCommand.java:125) ~[org.eclipse.jgit-3.5.3.201412180710-r.jar:3.5.3.201412180710-r]

         at org.springframework.cloud.config.server.environment.JGitEnvironmentRepository.cloneToBasedir(JGitEnvironmentRepository.java:282) ~[spring-cloud-config-server-1.1.2.RELEASE.jar:1.1.2.RELEASE]

 

I truly have the right host config in known_hosts as below and it has been verified by Git client,

XXX.XXX.com ecdsa-sha2-nistp256 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

 

After some research about Jsch and found the default cipher for Jsch is ssh-rsa without specified. And I am not able to find the right code to load the host cipher in https://github.com/eclipse/jgit/blob/master/org.eclipse.jgit/src/org/eclipse/jgit/transport/OpenSshConfig.java

 

Would you give me some suggestion either I am wrong or JGit needs a patch?


You are using jsch 0.1.50. According to the jsch change log [1] this cipher was implemented in jsch 0.1.52.
So you need to use at least this version, the latest version is 0.1.53.

Regarding ssh configuration we should probably get rid of our own OpenSshConfig class
and instead rely on jsch's OpenSSHConfig which improved a lot since we introduced our
own config class [2].


-Matthias 

Back to the top