Git 2.33.1 breaks rsa/sha-1 negotiation over ssh

[orgads]

• I was not able to find an open or closed issue matching what I'm seeing

The release notes of openssh 8.8, which is shipped with this version, say:

This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for <USD$50K [1]

Our (internal) Git servers still use this algorithm, so we can not connect to any of them with this version of Git. This is the default key that is created by Gerrit, even on version 3.4, which is the latest stable (it was replaced and then reverted).

If you consider this upgrade necessary, please at least postpone it for a major release.

[dscho]

postpone it for a major release.

I fear that this ship has sailed. v2.33.1 is already an official Git for Windows version.

BTW OpenSSH's release notes also have this to say:

[...] the following stanza in ~/.ssh/config will enable RSA/SHA1 for host and user authentication for a single destination host:

Host old-host
  HostkeyAlgorithms +ssh-rsa
  PubkeyAcceptedAlgorithms +ssh-rsa

[orgads]

Thanks for the reference. I didn't notice it. Solved now.

I didn't mean that you "republish 2.33.1", it was more like a comment for next time that a breaking change is inserted.

[xiayitian1003]

I'm in trouble similar to yours.The newest Git 2.33.1 throw error:
Unable to negotiate with 10.150.98.110 port 29418: no matching host key type found. Their offer: ssh-rsa,ssh-dss fatal: Could not read from remote repository.
Then I uninstalled the 2.33.1-Git and reinstalled the 2.33.0.2-Git,it's OK.
I'm a rookie to Git, i can't figure it out why this worked and it just solve my problem.LOL😂

[dscho]

@xiayitian1003 you probably missed the solution:

Host old-host
  HostkeyAlgorithms +ssh-rsa
  PubkeyAcceptedAlgorithms

[alchemistmatt]

Specific example that I can confirm works as a workaround: create file C:\Users\LoginName\.ssh\config
with contents:

Host stash.company.org
  HostkeyAlgorithms +ssh-rsa
  PubkeyAcceptedAlgorithms +ssh-rsa

Update LoginName with your Windows login name and update stash.company.org with your stash (or Git, GitLab, BitBucket, etc.) server name

[alchemistmatt]

I should add, that although the above workaround does work for Stash, the better solution is to generate a new RSA key pair. For example:

cd %userprofile%\.ssh
mkdir OldKeys
move id* OldKeys
ssh-keygen -t ed25519 -C "youremail@mailserver.org"

Next, on your Stash website, under Manage Account, SSH Keys, add a new key, using the contents of the id_ed25519.pub file

[felfert]

I should add, that although the above workaround does work for Stash, the better solution is to generate a new RSA key pair. For example:

cd %userprofile%\.ssh
mkdir OldKeys
move id* OldKeys
ssh-keygen -t ed25519 -C "youremail@mailserver.org"

Next, on your Stash website, under Manage Account, SSH Keys, add a new key, using the contents of the id_ed25519.pub file

That is wrong, IMHO. Your example updates the client keys, while the incompatibility is with host keys on the server side. The workaround in ~/.ssh/config just allows those server-side host keys to be accepted.

Apart from that: It would be nice, if someone with git acces could add a warning for this issue in the release-notes. Not everybody follows all the relese-notes of included packages... just my 2c

[dscho]

someone with git acces

You can always open a PR to edit https://github.com/git-for-windows/build-extra/blob/master/ReleaseNotes.md.

[Eddy555]

For extra info, I was struggling with the config file not working on Windows and Bitbucket
The following page from Atlassian
https://community.atlassian.com/t5/Bitbucket-articles/OpenSSH-8-8-client-incompatibility-and-workaround/ba-p/1826047
pointed me to adding
Host stash.company.org HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa
to a different file in the Git install folder which worked for me
%PROGRAMFILES%\Git\etc\ssh\ssh_config

[orgads]

That is wrong, IMHO. Your example updates the client keys, while the incompatibility is with host keys on the server side. The workaround in ~/.ssh/config just allows those server-side host keys to be accepted.

At least on my setup, the host keys were Ok. Regenerating my client keys solved the issue for me.

[rimrul]

That is wrong, IMHO. Your example updates the client keys, while the incompatibility is with host keys on the server side. The workaround in ~/.ssh/config just allows those server-side host keys to be accepted.

The issue isn't really an issue of either side, but an incompatibility between the two sides.

• Updating the Server allows both sides to use RSA/SHA-256/512

• Changing to a different key type allows both both sides to switch to that encryption

• Re-enabling RSA/SHA1 allows both sides to communicate in the old deprecated way.

All three are solutions, but the first two should be prefered for security reasons.

%PROGRAMFILES%\Git\etc\ssh\ssh_config

That works, but will be overwriten when updating or reinstalling Git for Windows.

[Eddy555]

%PROGRAMFILES%\Git\etc\ssh\ssh_config

That works, but will be overwriten when updating or reinstalling Git for Windows.

Yeah, I'm just puzzling over this.....

[dscho]

@Eddy555 why not put it into ~/.ssh/config, as suggested earlier?

[Eddy555]

@Eddy555 why not put it into ~/.ssh/config, as suggested earlier?

It doesn't work for some reason, and I've not been able to figure out why. Putting it into the Git folder config file did work. Maybe because of the SSH program that's being used (Git\usr\bin)?

[dscho]

It doesn't work for some reason

You can always figure out where ssh looks by calling ssh -v -v -v -v <host> directly.

[Eddy555]

ssh -v -v -v -v <host> really helped thanks.
I'm not clear why, but it does work with ~/.ssh/config but it does need the file exist to use it (Maybe I hadn't created the file in that folder properly). Even if you try and specify this with the git config sshCommand setting. If the config file doesn't exist it goes to the next config file it can find, i.e. ssh_config installed under Git.

[dscho]

it does work with ~/.ssh/config

Excellent.

[fcharlie]

As far as I know, many code hosting platforms will use golang to develop their Git Over SSH server(Gitea, Gogs, Gitee, CODING, Ant Code, CodeUp .....). Because golang x/crypto does not support the HostKey algorithm of rsa-sha2-256/rsa-sha2-512, starting from OpenSSH 8.8, ssh-rsa It has been disabled. Users who originally used RSA HostKey need to manually set the permission RSA key, or replace the RSA key, and the code hosting platform also needs to add other types of keys.

see: x/crypto/ssh: support RSA SHA-2 host key signatures

[heartacker]

Unable to negotiate with 172.28.165.** port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

any body can help me to

@xiayitian1003您可能错过了解决方案：

Host old-host
  HostkeyAlgorithms +ssh-rsa
  PubkeyAcceptedAlgorithms

i add this to config file but this is not useful. some body help me please

[dscho]

i add this to config file but this is not useful. some body help me please

@heartacker you need to adjust old-host to the actual name of the host you are trying to connect to.

[heartacker]

i add this to config file but this is not useful. some body help me please

@heartacker you need to adjust old-host to the actual name of the host you are trying to connect to.

yes i have change old-host to ip:

Host 172.28.165.105
	HostkeyAlgorithms +ssh-rsa
	PubkeyAcceptedAlgorithms
	

$ git push
/c/Users/ATC6194/.ssh/config line 3: no argument after keyword "pubkeyacceptedalgorithms"
/c/Users/ATC6194/.ssh/config: terminating, 1 bad configuration options
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

[Eddy555]

You appear to be missing the +ssh-rsa on PubkeyAcceptedAlgorithms
Host stash.company.org HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa

[heartacker]

You appear to be missing the +ssh-rsa on PubkeyAcceptedAlgorithms Host stash.company.org HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa

Thank, it Work
file: ~/.ssh/config

Host xxx.xxx.xx.xxx
	HostkeyAlgorithms +ssh-rsa
	PubkeyAcceptedAlgorithms +ssh-rsa

[catteneo]

The suggested change on the ~/.ssh/config worked for ssh connection
But stopped working on VSCode while using Remote-SSH with the error
Got the error Bad configuration option: pubkeyacceptedalgorithms

[rimrul]

Looks like that vscode extension is using an old version of OpenSSH (pre 8.5). You can probably use the old deprecated name of that config option: PubkeyAcceptedKeyTypes.

[catteneo]

Looks like that vscode extension is using an old version of OpenSSH (pre 8.5). You can probably use the old deprecated name of that config option: PubkeyAcceptedKeyTypes.

Worked like a charm! Thanks

[zrav]

@orgads FWIW, Gerrit 3.6 fixes this incompatibility.