Github GitPullS3 issue - Failed to start SSH session: Unable to exchange encryption keys

[jderose9]

I believe that recent changes to github have broken the GitPull method.

The error received is:

Failed to start SSH session: Unable to exchange encryption keys: GitError
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 158, in lambda_handler
repo = create_repo(repo_path, remote_url, creds)
File "/var/task/lambda_function.py", line 64, in create_repo
repo = clone_repository(remote_url, repo_path, callbacks=creds )
File "/var/task/pygit2/__init__.py", line 255, in clone_repository
check_error(err)
File "/var/task/pygit2/errors.py", line 64, in check_error
raise GitError(message)
GitError: Failed to start SSH session: Unable to exchange encryption keys

Here are the changes announced by github:
https://github.com/blog/2507-weak-cryptographic-standards-removed

After reading through a similar issue in another project, it seems that the lambda runtime provides version 1.4 of the libssh2 dependency, yet version 1.8 is required.

[ghost]

Did you solve this problem? Where should I change lambda code or else?

[fruiz7]

I am also getting this error

[jderose9]

@zesow I resolved it by including binaries of git and ssh command line versions built for amazon linux in my lambda deployment and switching the GitPull lambda to use GitPython (rather than pygit2) which makes use of the binaries. My code's rather specific to my use case and doesn't support all the existing settings for this project though, so I was hoping someone would have a better solution that I could move to. Since the lambda runtime is what it is, there doesn't seem like a lot of great options though.

[crissupb]

I have just posted a Gist that you can use to rebuild the zip file https://gist.github.com/crissupb/939d43aff42f6108a5b7f21f3d1a37da.
I built this in a Docker container, but you could build this on an Amazon Linux EC2 instance as well. You just need to start with a directory that has the 2 Python script files ipadddress.py and lambda_function.py from the functions/source/GitPullS3 directory. I started Docker with this command docker run -v ~/repos/package:/working -it amazonlinux:latest. Then ran the build script. Once the build finished upload the new zip file and you should be good to go.

[jaymccon]

This should be resolved with the commit above, thanks a lot for defining cause and resolution @jderose9 and @crissupb

[Justin-DynamicD]

@crissupb I appreciate the work, but this did not work for me.

On first run I got an error that libgit2-0.26.0 was incompatible with pygit2, and after switching to libgit2-0.27.0 I was returned to the same "Failed to start SSH session: Unable to exchange encryption keys"

I tried building using the lambci image to be as "lambda compatible" as possible with:

docker run -it -v <path-to-scripts>:/working lambci/lambda:build-python2.7 bash

this builds ... but unfortunately the same result.

EDIT:
had to update pygit2 to version lock it then it worked:
pip install -t . pygit2==0.26.0

it was installing 0.27.0 by default which was breaking things.