[git] pick ssh from $PATH instead of hardcoding our own (less featureful) one

[a12l]

Issue description

I can't clone a git repository hosted at GitLab using SSH. There isn't any problem downloading the repository over HTTPS or using git provided by Fedora's own repositories. The same problem occurs when trying to clone both public and private repos. The system in freshly installed. I've verified that SSH works by connecting to GitLab using the commenad ssh -T git@gitlab.com as described in their documentation[0].

When I try to clone the repository using Nix's git via SSH I get the following error message:

Cloning into 'emacs'...
Unsupported Match attribute final
/etc/ssh/ssh_config.d/05-redhat.conf line 3: Bad Match condition
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Content of /etc/ssh/ssh_config.d/05-redhat.conf:

# The options here are in the "Match final block" to be applied as the last
# options and could be potentially overwritten by the user configuration
Match final all
	# Follow system-wide Crypto Policy, if defined:
	Include /etc/crypto-policies/back-ends/openssh.config

	GSSAPIAuthentication yes

# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
	ForwardX11Trusted yes

# Send locale-related environment variables
	SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
	SendEnv XMODIFIERS

# Uncomment this if you want to use .local domain
# Host *.local

Steps to reproduce

These steps mostly describe how I've setup my system. I don't know where in the chain the problem lies.

1. Install Fedora 29 with Plasma.
2. Install Nix with the command curl https://nixos.org/nix/install | sh.
3. Install Git with nix-env -iA nixpkgs.git
4. Try to clone a private repo from GitLab using the SSH URL.

Technical details

Please run nix-shell -p nix-info --run "nix-info -m" and paste the
results.

• system: "x86_64-linux"

• host os: Linux 4.20.16-200.fc29.x86_64, Fedora, 29 (Twenty Nine)

• multi-user?: no

• sandbox: yes

• version: nix-env (Nix) 2.2.1

• channels(user): "nixpkgs-19.09pre173147.03050e9749e"

• nixpkgs: /home/user/.nix-defexpr/channels/nixpkgs

• /usr/bin/git --version: git version 2.20.1

• /nix/store/rsd4vlhc4qmmayjvflds303fy080v1sh-user-environment/bin/git --version: git version 2.19.2

[0] https://gitlab.com/help/ssh/README#testing-that-everything-is-set-up-correctly

[flokli]

git calls ssh from nixpkgs:

https://github.com/NixOS/nixpkgs/blob/be1c03ddaf867e9a58499cd790d5cd72cffc6fca/pkgs/applications/version-management/git-and-tools/git/default.nix#L46..54

It might be the version of openssh passed in there doesn't support the match final syntax, I'm not sure.

Additionally GSSAPI support is disabled by default, you'd have override your git with openssh pointing to openssh_gssapi, which isn't really easy to do by just calling nix-env -iA in a non-NixOS environment.

You could try to point $GIT_SSH to your Fedora 29 ssh command (/usr/bin/ssh?), this should work.

[sigrlami]

Also reproducible on Fedora 30

[sigrlami]

@flokli I was able to track down this issue it's because Fedora uses newer version of ssh. Is there a way to override ssh library used within nix? My $GIT_SSH pointing to right place but on deploy it uses nix-based binary with system wide config which lead to an error.

[flokli]

@sigrlami I'm not sure if I understand, but as long as GIT_SSH is set, git should use the fedora ssh executable instead of whatever ssh executable is shipped with nix.

What do you mean with "library"? git only shells out to ssh…

[stale]

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
2. Ask on the NixOS Discourse.
3. Ask on the #nixos channel on irc.freenode.net.

[a12l]

I don't know if it's the same problem. But when I try to clone my GH fork of Nixpkgs with the command git clone git@github.com:inquisitiv3/nixpkgs.git I get the error message

Cloning into 'nixpkgs'...
/etc/crypto-policies/back-ends/openssh.config: line 3: Bad configuration option: gssapikexalgorithms
/etc/crypto-policies/back-ends/openssh.config: terminating, 1 bad configuration options
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I'm running a Fedora 32 system now.

[stale]

I marked this as stale due to inactivity. → More info

[flokli]

@a12l what does which git and which ssh say on your system?

[a12l]

@a12l what does which git and which ssh say on your system?

$ which git
/home/ao/.nix-profile/bin/git

$ which ssh
/usr/bin/ssh

I still got the problem on Fedora 33. Your suggestoin to set $GIT_SSH to /usr/bin/ssh in ~/.bash_profile works great!

[flokli]

Yeah, so the default ssh binary that git from nixpkgs uses has less features than the one shipped with other distributions (no GSSAPIAuthentication support for example).

We hardcode this to the nixpkgs-provided openssh in pkgs/applications/version-management/git-and-tools/git/./ssh-path.patch. We might want to extend this patch to first try to pick ssh from $PATH, and only then fallback to our fallback ssh - or not hardcode it at all, but just rely on all fetchers providing some ssh in $PATH.

This might play well together with @arianvp's plans to make openssh in the fetchers more minimal (#106858 (comment)) to make the build closure smaller.

[stale]

I marked this as stale due to inactivity. → More info

[dalvescb]

Is there a way to pick ssh from $PATH in a nix shell while still supplying openssh in the shell for dependency purposes?