Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » EGit / JGit » ssh connection using an ECDSA key fails on second attempt (auth failed)
ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791164] Mon, 25 June 2018 12:00 Go to next message
Richard Birenheide is currently offline Richard BirenheideFriend
Messages: 9
Registered: July 2009
Junior Member
Connecting to github.com with an ECDSA key (256 bit) succeeds for the first attempt after Eclipse start but fails for subsequent attempts (message is "auth failed"). Restarting Eclipse shows consistent behavior.

The same works fine with an RSA key.

I am using Mars and Neon, both show the same behavior. Neon is on Egit 4.6.1.

What baffles me is that it works with ECDSA when connecting the first time but not on subsequent connects. It'd be nice to have support for ECDSA as RSA is on retreat. As well an equivalent to "ssh -v -T <server>" in Eclipse which shows the verbose output would help in such situations.

Cheers
Richard
Re: ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791200 is a reply to message #1791164] Mon, 25 June 2018 21:49 Go to previous messageGo to next message
Thomas Wolf is currently online Thomas WolfFriend
Messages: 78
Registered: August 2016
Member
I recommend that you install EGit nightly. It works for sure in Neon, and it should work in Mars, too. EGit 4.6.1 is fairly old, and there have been many improvements since then, especially in ssh connection code. Be aware that since EGit4.9, we do consider your ~/.ssh/config file; earlier versions didn't do so properly.

If the problem then persists:

First: what's in the error log? There should be a log entry with a stack trace there, which might help us figure out what goes on. Use global menu "Windows->Show Views" to open the error log view, then find the log entry, double-click it to get more information, and post the stack trace here.

Second, EGit nightly contains additional debug tracing for the ssh library used; those traces might help us to figure out what went wrong, too. To enable those traces, go to "Preferences->General->Tracing", check the "Enable tracing" checkbox and then under "Git" enable "org.eclipse.egit.core/debug" and "org.eclipse.egit.code/debug/core/jsch". Make sure the trace goes to a file. Then re-try the operation and post the resulting trace here.
Re: ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791222 is a reply to message #1791164] Tue, 26 June 2018 07:46 Go to previous messageGo to next message
Richard Birenheide is currently offline Richard BirenheideFriend
Messages: 9
Registered: July 2009
Junior Member
I installed Oxygen for a clean test.

I have an ECDSA file saved as .ssh/id_ecdsa_github. When using the attached .ssh/config file, it works.

If I rename the config file, the problem described above is still there (works first time, fails subsequently) albeit the file name is given in the SSH2 preferences.

I tried to install EGit nightly, but this fails (see attached log). I switched on tracing (see trace) but logger "org.eclipse.egit.code/debug/core/jsch" does not exist for version 4.9x.
  • Attachment: trace.log
    (Size: 16.52KB, Downloaded 16 times)
  • Attachment: .log
    (Size: 4.68KB, Downloaded 19 times)
  • Attachment: config_old
    (Size: 0.09KB, Downloaded 21 times)
Re: ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791264 is a reply to message #1791164] Wed, 27 June 2018 08:27 Go to previous messageGo to next message
Richard Birenheide is currently offline Richard BirenheideFriend
Messages: 9
Registered: July 2009
Junior Member
Today I was able to install Git nightly and switch on the trace. Please find the trace attached.

First (successful) connection attempt is logged at 10:21:51, second (failing) attempt at 10:22.35.
  • Attachment: trace.log
    (Size: 60.42KB, Downloaded 21 times)
Re: ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791289 is a reply to message #1791164] Wed, 27 June 2018 16:18 Go to previous messageGo to next message
Thomas Wolf is currently online Thomas WolfFriend
Messages: 78
Registered: August 2016
Member
Yes, it is baffling that it works the first time but not on subsequent connections.

The "config_old" file you attached above specifies an RSA key (if the file name corresponds to the content...) Does it work with the config file if you specify the ECDSA key in the config file?

What is the value in the SSH2 preferences? Do you have only the ecdsa key there? And the file exists in the directory given by the "SSH2 home"?

Unfortunately the Jsch trace doesn't tell which key it used in the first and second publickey authentication attempt. Do you have the possibility of tracking the network traffic on your computer while the connection attempt is being made? It'll send a request of the form

<0x50>
<4 bytes, MSB first: length of user name>
<user name>
<0x00 0x00 0x00 0x0E>
"ssh-connection"
<0x00 0x00 0x00 0x09>
"publickey"
<0x01>
<4 bytes, MSB first: length of algorithm name>
<algorithm name>
...

That would at least tell which algorithm it used (RSA or ECDSA), so we may have some indication whether it used the right key at all.

Re: ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791316 is a reply to message #1791164] Thu, 28 June 2018 05:56 Go to previous messageGo to next message
Richard Birenheide is currently offline Richard BirenheideFriend
Messages: 9
Registered: July 2009
Junior Member
Good catch! I presumably set it back to an RSA key for testing.

Alas, setting the cvonfig file to the ECDSA key shows exactly the same behavior as without the config file: success the first time, failing for all subsequent attempts.

Unfortunately network capture is prohibited by my employer.
Re: ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791405 is a reply to message #1791164] Thu, 28 June 2018 19:05 Go to previous messageGo to next message
Thomas Wolf is currently online Thomas WolfFriend
Messages: 78
Registered: August 2016
Member
It's another bug in Jsch, the Java ssh implementation used by EGit/JGit. It re-uses the keys once read, but it has a bug in com.jcraft.jsch.jce.SignatureECDSA, where it clears the private key part. As a result the key can be used only once. When it later tries to re-use the same key instance again, authentication fails because the private key is all zeroes.

Unfortunately, there is no way we could fix this. :-(

One more reason to move to some other ssh implementation. See bug 520927.

Sorry, for now the upshot is: ECDSA or ed25519 just don't work.

Switching to another ssh implementation is a large effort, so don't hold your breath.

One thing you can try is to set the environment variable GIT_SSH to an external ssh executable. EGit should then use that instead of that broken Java ssh implementation.

[Updated on: Thu, 28 June 2018 19:23]

Report message to a moderator

Re: ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791416 is a reply to message #1791405] Fri, 29 June 2018 06:29 Go to previous message
Richard Birenheide is currently offline Richard BirenheideFriend
Messages: 9
Registered: July 2009
Junior Member
Thanks for your effort!

Setting the environment variable did work. One can use the executable which comes with msysgit (Git for Windows): <path to msysgit>/usr/bin/ssh.exe. I assume on Windows most of the users have this installed. On Linux this is not a a problem at all ;-).
Previous Topic:How Can I ignore files when using ArchiveCommand
Next Topic:How to use Git diff options
Goto Forum:
  


Current Time: Wed Sep 19 06:41:19 GMT 2018

Powered by FUDForum. Page generated in 0.02175 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top