SSH SHA-256 key not accepted #7600
Comments
|
Are you able to use the same key with your local Git client to access Git Hub? |
|
I think this may be the reason: https://github.blog/2021-09-01-improving-git-protocol-security-github/ |
|
We just went final brownout (January 11, 2022) and I am experiencing this same issue with SHA256 keys. Does the |
|
Switching to Ed25519 as per GitHub's recommendation worked for me. You can update existing repositories this way. ssh-keygen -t ed25519 -a 100 # Source: https://security.stackexchange.com/a/144044/29078Add cat ~/.ssh/id_ed25519 | base64 -w 0 && echo # copy outputkubectl get secrets -n argocd
kubectl edit -n argocd secret repo-<uid>Replace |
|
Thanks for the info but this didn't work for me with argocd for some reason. IDK why all the sudden it won't accept the same keys I've been using all month. |
|
I just got bit by this as well. Was using an After reading the above article, Argo is probably using an older git client which does not support SHA2 sigs (or it is not configured). As the above shows (and the article explains) moving away from I also had to disconnect all the instances that I had directly configured (the one's that were not using a credential template) Hope this helps. |
|
This just hit us as well. No updates made to the cluster today. I would love to know what triggered it. |
|
We are impacted as of 15 minutes ago... Changes in Github security policy again? EDIT: Generating a new
I don't know why the old key was blocked as it was SHA-256 and 4096 bits, it seems like Github deprecated a lot of other things like cipher suites and MAC types so it might have been something more obscure. |
|
the docs literally still tell users to generate RSA keys: yet we cannot connect with keys generated the same way. |
|
The problem is that the git client that Argo uses doesn't do sha2 signatures. Use an ed25519 key. |
|
I know this issue is still open but just to say that we had a similar problem where argocd and github wouldnt sync because of the key generation and this did work for us: |
|
We were using Terraform tls_private_key resource to help automate creation of deploy keys on our ArgoCD repositories, but unfortunately ed25519 support is still under development. In the meantime, we've reworked our Terraform module(s) to expect deploy keys to exist in our org's secrets store and regenerated them all using |
|
To be clear, this is an ArgoCD problem (or rather the SSH client ArgoCD is using), SSH RSA keys aren't signed with SHA-1 (that would be nonsensical), the error relates to SHA-1 being used during the handshake. SSH client should being using SHA-256 (aka https://datatracker.ietf.org/doc/html/rfc8332
Being more clean, the format of the RSA key isn't the problem. Switching to Ed25519 just forces the client to not use |
|
This issue might be related to golang/go#37278, specifically this comment. golang/crypto#211 might address this, but unknown when/if this will be merged... |
|
golang/crypto@6fad3dfc may have fixed this. Argo CD 2.7.x upgraded to |
If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a question in argocd slack channel.
Checklist:
argocd version.Describe the bug
I am trying to add a new repo to my argocd. Everytime i try i get the error "Unable to connect SSH repository: unknown error: ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type."
I also tried from cli and from gui and receiving the same error:
Also regenerated my key with type rsa-sha2-256: ssh-keygen -t rsa-sha2-256
To Reproduce
Expected behavior
Connected github repo
Screenshots
If applicable, add screenshots to help explain your problem.
Version
Logs
The text was updated successfully, but these errors were encountered: