Eclipse Community Forums: EGit / JGit » ssh connection using an ECDSA key fails on second attempt (auth failed)

Help

Home

Home » Eclipse Projects » EGit / JGit » ssh connection using an ECDSA key fails on second attempt (auth failed)

Show: Today's Messages :: Show Polls :: Message Navigator

ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791164]

Mon, 25 June 2018 12:00

Richard Birenheide

Messages: 9
Registered: July 2009

Junior Member

Connecting to github.com with an ECDSA key (256 bit) succeeds for the first attempt after Eclipse start but fails for subsequent attempts (message is "auth failed"). Restarting Eclipse shows consistent behavior.

The same works fine with an RSA key.

I am using Mars and Neon, both show the same behavior. Neon is on Egit 4.6.1.

What baffles me is that it works with ECDSA when connecting the first time but not on subsequent connects. It'd be nice to have support for ECDSA as RSA is on retreat. As well an equivalent to "ssh -v -T <server>" in Eclipse which shows the verbose output would help in such situations.

Cheers
Richard

Report message to a moderator

Re: ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791200 is a reply to message #1791164]

Mon, 25 June 2018 21:49

Thomas Wolf

Messages: 576
Registered: August 2016

Senior Member

I recommend that you install EGit nightly. It works for sure in Neon, and it should work in Mars, too. EGit 4.6.1 is fairly old, and there have been many improvements since then, especially in ssh connection code. Be aware that since EGit4.9, we do consider your ~/.ssh/config file; earlier versions didn't do so properly.

If the problem then persists:

First: what's in the error log? There should be a log entry with a stack trace there, which might help us figure out what goes on. Use global menu "Windows->Show Views" to open the error log view, then find the log entry, double-click it to get more information, and post the stack trace here.

Second, EGit nightly contains additional debug tracing for the ssh library used; those traces might help us to figure out what went wrong, too. To enable those traces, go to "Preferences->General->Tracing", check the "Enable tracing" checkbox and then under "Git" enable "org.eclipse.egit.core/debug" and "org.eclipse.egit.code/debug/core/jsch". Make sure the trace goes to a file. Then re-try the operation and post the resulting trace here.

Report message to a moderator

Re: ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791222 is a reply to message #1791164]

Tue, 26 June 2018 07:46

Richard Birenheide

Messages: 9
Registered: July 2009

Junior Member

I installed Oxygen for a clean test.

I have an ECDSA file saved as .ssh/id_ecdsa_github. When using the attached .ssh/config file, it works.

If I rename the config file, the problem described above is still there (works first time, fails subsequently) albeit the file name is given in the SSH2 preferences.

I tried to install EGit nightly, but this fails (see attached log). I switched on tracing (see trace) but logger "org.eclipse.egit.code/debug/core/jsch" does not exist for version 4.9x.

Attachment: trace.log
(Size: 16.52KB, Downloaded 180 times)
Attachment: .log
(Size: 4.68KB, Downloaded 204 times)
Attachment: config_old
(Size: 0.09KB, Downloaded 215 times)

Report message to a moderator

Re: ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791264 is a reply to message #1791164]

Wed, 27 June 2018 08:27

Richard Birenheide

Messages: 9
Registered: July 2009

Junior Member

Today I was able to install Git nightly and switch on the trace. Please find the trace attached.

First (successful) connection attempt is logged at 10:21:51, second (failing) attempt at 10:22.35.

Attachment: trace.log
(Size: 60.42KB, Downloaded 219 times)

Report message to a moderator

Re: ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791289 is a reply to message #1791164]

Wed, 27 June 2018 16:18

Thomas Wolf

Messages: 576
Registered: August 2016

Senior Member

Yes, it is baffling that it works the first time but not on subsequent connections.

The "config_old" file you attached above specifies an RSA key (if the file name corresponds to the content...) Does it work with the config file if you specify the ECDSA key in the config file?

What is the value in the SSH2 preferences? Do you have only the ecdsa key there? And the file exists in the directory given by the "SSH2 home"?

Unfortunately the Jsch trace doesn't tell which key it used in the first and second publickey authentication attempt. Do you have the possibility of tracking the network traffic on your computer while the connection attempt is being made? It'll send a request of the form

<0x50>
<4 bytes, MSB first: length of user name>
<user name>
<0x00 0x00 0x00 0x0E>
"ssh-connection"
<0x00 0x00 0x00 0x09>
"publickey"
<0x01>
<4 bytes, MSB first: length of algorithm name>
<algorithm name>
...

That would at least tell which algorithm it used (RSA or ECDSA), so we may have some indication whether it used the right key at all.

Report message to a moderator

Re: ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791316 is a reply to message #1791164]

Thu, 28 June 2018 05:56

Richard Birenheide

Messages: 9
Registered: July 2009

Junior Member

Good catch! I presumably set it back to an RSA key for testing.

Alas, setting the cvonfig file to the ECDSA key shows exactly the same behavior as without the config file: success the first time, failing for all subsequent attempts.

Unfortunately network capture is prohibited by my employer.

Report message to a moderator

Re: ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791405 is a reply to message #1791164]

Thu, 28 June 2018 19:05

Thomas Wolf

Messages: 576
Registered: August 2016

Senior Member

It's another bug in Jsch, the Java ssh implementation used by EGit/JGit. It re-uses the keys once read, but it has a bug in com.jcraft.jsch.jce.SignatureECDSA, where it clears the private key part. As a result the key can be used only once. When it later tries to re-use the same key instance again, authentication fails because the private key is all zeroes.

Unfortunately, there is no way we could fix this. :-(

One more reason to move to some other ssh implementation. See bug 520927.

Sorry, for now the upshot is: ECDSA or ed25519 just don't work.

Switching to another ssh implementation is a large effort, so don't hold your breath.

One thing you can try is to set the environment variable GIT_SSH to an external ssh executable. EGit should then use that instead of that broken Java ssh implementation.

[Updated on: Thu, 28 June 2018 19:23]

Report message to a moderator

Re: ssh connection using an ECDSA key fails on second attempt (auth failed) [message #1791416 is a reply to message #1791405]

Fri, 29 June 2018 06:29

Richard Birenheide

Messages: 9
Registered: July 2009

Junior Member

Thanks for your effort!

Setting the environment variable did work. One can use the executable which comes with msysgit (Git for Windows): <path to msysgit>/usr/bin/ssh.exe. I assume on Windows most of the users have this installed. On Linux this is not a a problem at all ;-).

Report message to a moderator

Previous Topic:	How Can I ignore files when using ArchiveCommand
Next Topic:	How to use Git diff options

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Fri Apr 19 05:54:47 GMT 2024

.:: Contact :: Home ::.

Breadcrumbs

Sign up to our Newsletter