Github.com RSA key with SHA-1 no longer allowed [message #1850814] |
Thu, 17 March 2022 13:22  |
Alexander Gherschon Messages: 1 Registered: March 2022 |
Junior Member |
|
|
Hello,
Since March 15th Github reinforced its ssh security, and since then I can't push into our Github remote repository (I can't link the article because I'm new here).
Now, the key we're using is RSA with SHA-256:
4096 SHA256:b5y-somestuff/blablablaRY mobile@company.com (RSA)
And the error I'm getting when trying to push something with jGIt is the following:
> org.eclipse.jgit.api.errors.InvalidRemoteException: Invalid remote: origin
Cause: git@github.com:company/Project.git: ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Please see <github-blog>/2021-09-01-improving-git-protocol-security-github/ for more information.
So why is that jGit tries to use a SHA1 key (from where even) when we supply a valid key?
Here is how we define SshTransportConfigCallback:
class SshTransportConfigCallback(val project: Project): TransportConfigCallback {
override fun configure(transport: Transport?) {
val sshTransport = transport as? SshTransport
sshTransport?.sshSessionFactory = object: JschConfigSessionFactory() {
override fun configure(hc: OpenSshConfig.Host?, session: Session?) {
session?.setConfig("StrictHostKeyChecking", "no") // doesn't change anything
session?.setConfig("server_host_key","ecdsa-sha2-nistp256") // doesn't change anything
}
override fun createDefaultJSch(fs: FS?): JSch {
val jSch = super.createDefaultJSch(fs)
val pathBitriseSshKey = "/root/.ssh/bitrise_step_activate_ssh_key"
if (File(pathBitriseSshKey).exists()) {
jSch.addIdentity(pathBitriseSshKey)
} else {
val userHome = System.getProperty("user.home", project.gradle.gradleUserHomeDir.parent)
val localPrivateKey = "${userHome}/.ssh/our_valid_rsa_sha256_key"
jSch.addIdentity(localPrivateKey)
}
val pathBitriseKnownHosts = "/root/.ssh/known_hosts"
if (File(pathBitriseKnownHosts).exists()) {
jSch.setKnownHosts(pathBitriseKnownHosts)
} else {
val userHome = System.getProperty("user.home", project.gradle.gradleUserHomeDir.parent)
val localKnownHosts = "${userHome}/.ssh/known_hosts"
jSch.setKnownHosts(localKnownHosts)
}
return jSch
}
}
}
}
If we use git directly from our CI, we can push without any issue from bash, so what am I missing in the configuration of jGit?
Thank you in advance for your help!
|
|
|
Re: Github.com RSA key with SHA-1 no longer allowed [message #1850825 is a reply to message #1850814] |
Thu, 17 March 2022 15:59   |
Thomas Wolf Messages: 521 Registered: August 2016 |
Senior Member |
|
|
You're missing that JSch 0.1.55 does not support rsa-sha2-256 or rsa-sha2-512 signatures.
The JSch support in JGit (bundle org.eclipse.jgit.ssh.jsch) is basically end-of-life. It is no longer actively maintained. The JSch 0.1.55 it was originally done for is unmaintained, old, and buggy. You may try to use org.eclipse.jgit.ssh.jsch together with the JSch fork from https://github.com/mwiede/jsch , which should be a drop-in replacement for JSch 0.1.55, but the JGit team is not going to fix any bugs you might encounter.
The supported SSH support in JGit is based on Apache MINA sshd and can be found in bundle org.eclipse.jgit.ssh.apache.
(BTW: RSA keys are still RSA keys. There are no RSA-SHA1 or RSA-SHA256 keys. They're the same. The whole issue is just about a particular weak signature algorithm for RSA keys that was deprecated a while ago and finally disabled by default in OpenSSH. And obviously also on Github.)
[Updated on: Thu, 17 March 2022 16:19] Report message to a moderator
|
|
|
|
Re: Github.com RSA key with SHA-1 no longer allowed [message #1851614 is a reply to message #1851603] |
Mon, 11 April 2022 09:29   |
Thomas Wolf Messages: 521 Registered: August 2016 |
Senior Member |
|
|
Martin Braun wrote on Mon, 11 April 2022 00:54This issue essentially broke private repositories from GitHub when using gitRepository in gradle. I am unable to add my java dependency from a private repository, because gradle uses jGit.
Report a bug against gradle. If gradle still uses JSch with JGit it is using no longer supported JGit code.
Martin Braun wrote on Mon, 11 April 2022 00:54
I also tried to bypass this issue by generating a SHA-256 RSA key by running: ssh-keygen -t rsa -b 4096 -E sha256 -m PEM
This just says that ssh-keygen should print a SHA-256 fingerprint of the key. As I wrote before, it doesn't change the key type.
Martin Braun wrote on Mon, 11 April 2022 00:54So essentially, GitHub removed RSA support altogether. The error is really misleading.
No, they didn't. They just disabled SHA-1 signatures. Which, of course, makes Github unusable with RSA keys if you're using an SSH client that knows only this signature algorithm for RSA keys. You have two possibilities:
- Upgrade the SSH client. Which is your case would mean to get gradle to either use JGit with that JSch fork (and support that combination themselves), or get gradle to modernize their JGit integration to use Apache MINA sshd. Or perhaps you can make gradle use that JSch fork by overriding some dependency yourself.
- Don't use an RSA key. Try an ECDSA key instead. (ECDSA 256; IIRC, JSch 0.1.55 has troubles with ECDSA 384 or 521 keys.)
|
|
|
|
Powered by
FUDForum. Page generated in 0.02152 seconds