git-ssh: try multiple algorithms for known_hosts

[franklouwers]

Hi,

When using git over ssh, it seems that if a host (eg: GitHub.com) has multiple keys (eg: an rsa and an ed25519 ones), but only one of those keys is listed in the $HOME/.ssh/known_hosts, and the one that's not listed has a higher preference (e.g. ed25519 over rsa), then the git clone operation will fail.

I feel it should try to be more intelligent and try to use the rsa one.

[steffakasid]

I experienced the same. As workaround you could do the following: ssh-keyscan github.com >> known_hosts

[mojotx]

I've been struggling for several days, trying to get go-git to work, and I kept thinking it had something to do with ssh-agent, or that I had missed some minor thing in my code.

THIS was the problem, and running ssh-keyscan github.com >> ~/.ssh/known_hosts fixed it for me. Thank you, both @franklouwers and @steffakasid, for helping me fix this issue! 🙂

[mojotx]

I did some digging, to see how easy this would be to fix, and I don't think this is an issue in go-git's code

In plumbing/transport/ssh/common.go, in the dial() func, the code is calling ssh.NewClientConn().

	c, chans, reqs, err := ssh.NewClientConn(conn, addr, config)

That function is actually defined in golang/x/crypto/ssh. I didn't follow the rabbit trail all the way down into the crypto code, but I suspect that's where it needs to be fixed.

If I had the time, I would try writing a trivial Go program that makes a SSH connection to Github,, disabling the pseudo-tty allocation, which would be the equivalent of ssh -T git@github.com.

Currently if you do that, and you have your SSH keys set up correctly, it prints something like this:

$ ssh -T git@github.com
Hi mojotx! You've successfully authenticated, but GitHub does not provide shell access.

If a trivial Go implementation of ssh -T git@github.com also gives you the same host-key error, then we know for sure that the problem is in the golang/x/crypto/ssh code.

For what it's worth, I tried forking the go-git repo, and then updating the crypto module, to see if it's been fixed already, and it hasn't.

$ go get -v -u golang.org/x/crypto
go get: upgraded golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 => v0.0.0-20211215153901-e495a2d5b3d3
go get: upgraded golang.org/x/net v0.0.0-20210326060303-6b1517762897 => v0.0.0-20211112202133-69e39bad7dc2
go get: upgraded golang.org/x/text v0.3.3 => v0.3.6

[jaredallard]

Here's a workaround for ~/.ssh/known_hosts for those running into this:

ssh-keyscan -t rsa github.com > ~/.ssh/known_hosts
ssh-keyscan -t ecdsa github.com >> ~/.ssh/known_hosts

This seems to 100% of the time ensure this works. It's kinda confusing.

[rgalanakis]

@jaredallard and others, thank you for the workarounds!

[smveloso]

From #411 (comment):

I did some digging, to see how easy this would be to fix, and I don't think this is an issue in go-git's code

It seems that the root cause is indeed in golang's ssh library: golang/go#29286

However, it's possible to work around it in code by explicitly setting the HostKeyAlgorithms field of https://pkg.go.dev/golang.org/x/crypto/ssh#ClientConfig. This was suggested here.

I did try and it works, by hardcoding the ssh key type I actually had in my known_hosts.

I don't know what would be the appropriate way of doing this kind of configuration on go-git. 🤔

NOTE: I'm working on a pull request. You can see the work so far here.

[evanelias]

I've just submitted a new pull request #548 which adds auto-population of ssh.ClientConfig.HostKeyAlgorithms, based on the known_hosts entries for the git remote host. Seems to work properly and solve this issue in my testing :)

[shaftoe]

@evanelias looks great! thanks a lot