Github.com RSA key with SHA-1 no longer allowed [message #1850814] |
Thu, 17 March 2022 09:22  |
Eclipse User |
|
|
|
Hello,
Since March 15th Github reinforced its ssh security, and since then I can't push into our Github remote repository (I can't link the article because I'm new here).
Now, the key we're using is RSA with SHA-256:
4096 SHA256:b5y-somestuff/blablablaRY mobile@company.com (RSA)
And the error I'm getting when trying to push something with jGIt is the following:
> org.eclipse.jgit.api.errors.InvalidRemoteException: Invalid remote: origin
Cause: git@github.com:company/Project.git: ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Please see <github-blog>/2021-09-01-improving-git-protocol-security-github/ for more information.
So why is that jGit tries to use a SHA1 key (from where even) when we supply a valid key?
Here is how we define SshTransportConfigCallback:
class SshTransportConfigCallback(val project: Project): TransportConfigCallback {
override fun configure(transport: Transport?) {
val sshTransport = transport as? SshTransport
sshTransport?.sshSessionFactory = object: JschConfigSessionFactory() {
override fun configure(hc: OpenSshConfig.Host?, session: Session?) {
session?.setConfig("StrictHostKeyChecking", "no") // doesn't change anything
session?.setConfig("server_host_key","ecdsa-sha2-nistp256") // doesn't change anything
}
override fun createDefaultJSch(fs: FS?): JSch {
val jSch = super.createDefaultJSch(fs)
val pathBitriseSshKey = "/root/.ssh/bitrise_step_activate_ssh_key"
if (File(pathBitriseSshKey).exists()) {
jSch.addIdentity(pathBitriseSshKey)
} else {
val userHome = System.getProperty("user.home", project.gradle.gradleUserHomeDir.parent)
val localPrivateKey = "${userHome}/.ssh/our_valid_rsa_sha256_key"
jSch.addIdentity(localPrivateKey)
}
val pathBitriseKnownHosts = "/root/.ssh/known_hosts"
if (File(pathBitriseKnownHosts).exists()) {
jSch.setKnownHosts(pathBitriseKnownHosts)
} else {
val userHome = System.getProperty("user.home", project.gradle.gradleUserHomeDir.parent)
val localKnownHosts = "${userHome}/.ssh/known_hosts"
jSch.setKnownHosts(localKnownHosts)
}
return jSch
}
}
}
}
If we use git directly from our CI, we can push without any issue from bash, so what am I missing in the configuration of jGit?
Thank you in advance for your help!
|
|
|
|
|
Re: Github.com RSA key with SHA-1 no longer allowed [message #1851614 is a reply to message #1851603] |
Mon, 11 April 2022 05:29   |
Eclipse User |
|
|
|
Martin Braun wrote on Mon, 11 April 2022 00:54This issue essentially broke private repositories from GitHub when using gitRepository in gradle. I am unable to add my java dependency from a private repository, because gradle uses jGit.
Report a bug against gradle. If gradle still uses JSch with JGit it is using no longer supported JGit code.
Martin Braun wrote on Mon, 11 April 2022 00:54
I also tried to bypass this issue by generating a SHA-256 RSA key by running: ssh-keygen -t rsa -b 4096 -E sha256 -m PEM
This just says that ssh-keygen should print a SHA-256 fingerprint of the key. As I wrote before, it doesn't change the key type.
Martin Braun wrote on Mon, 11 April 2022 00:54So essentially, GitHub removed RSA support altogether. The error is really misleading.
No, they didn't. They just disabled SHA-1 signatures. Which, of course, makes Github unusable with RSA keys if you're using an SSH client that knows only this signature algorithm for RSA keys. You have two possibilities:
- Upgrade the SSH client. Which is your case would mean to get gradle to either use JGit with that JSch fork (and support that combination themselves), or get gradle to modernize their JGit integration to use Apache MINA sshd. Or perhaps you can make gradle use that JSch fork by overriding some dependency yourself.
- Don't use an RSA key. Try an ECDSA key instead. (ECDSA 256; IIRC, JSch 0.1.55 has troubles with ECDSA 384 or 521 keys.)
|
|
|
|
Powered by
FUDForum. Page generated in 0.04573 seconds