Cannot Connect to OpenSSH 8.8+ Server with RSA Pubkey

[Warr1024]

Describe the bug

Cannot use RSA pubkey auth with OpenSSH 8.8+ servers.

To Reproduce

SCENARIO 1 using MGit's (old-style) key:

1. Generate new 4096-bit RSA key in MGit
2. Export pubkey, authorize it on server (e.g. commit to gitolite-admin keydir)
3. Try to pull a repo using this key.

Expected Behavior:

should successfully pull.

Observed result:

On the client: Error occurred [url]: Auth cancel

On the server:

userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
error: Received disconnect from 10.100.0.1 port 51485:3: com.jcraft.jsch.JSchException: Auth cancel [preauth]

SCENARIO 2 using OpenSSH's (new-style) key:

1. Use ssh-keygen on a modern system (Debian 11 works) to generate a 4096-bit RSA key, no passphrase, otherwise default options.
2. Get the key onto the phone and import it using MGit.
3. Try to open the key to read its pubkey.

Expected Behavior

Displays pubkey

Observed Behavior

Error occurred
Can't open this file in this device.

Smartphone (please complete the following information):

• Device: Pixel 4a
• OS: Android 12 security patch 2021-11-05 build SP1A.211105.002
• App Version: 1.5.10 from Play Store

Additional context

OpenSSH 8.8 has stopped accepting RSA pubkeys that use SHA1 signatures by default now, since they are considered broken. They only support RSA keys that use an SHA2 signature. It seems that MGit only supports RSA keys with SHA1 signatures and can neither generate nor import and use the newer key type.

https://www.openssh.com/txt/release-8.8 (scroll down to Potentially-incompatible changes section)

Legacy RSA w/ SHA1 keys can supposedly be enabled in OpenSSH as a workaround, but this is strongly cautioned against, and it seems like it could effectively reduce the security of the entire host system. In addition, since this change would need to be done server-side, it's only an option for people who control their own SSH hosting.

It seems like the only proper fix for this would involve MGit updating at least some of its SSH handling components.

[Warr1024]

Also maybe noteworthy: In scenario 2, if I ignore the inability to open/view the pubkey on the imported key (using OpenSSH to extract the pubkey to register) and then I try to actually pull from an SSH server using that private key, I get an error that looks very much like the one described in #574.

[kb-1000]

After some googling, I found this: https://github.com/mwiede/jsch
JSCH itself is not maintained anymore, but that fork seems to have support for the newer key formats.
I'm not sure if that would work with MGit's JGit version or if it would work at all on Android though.

[maks]

Thank you for submitting this issue. This is really another aspect of #545, bascially same as #348 and the need to switch to a maintained and more modern SSH library than Jsch in order to be able to support newer crypto standards and algorithms.
I'm going to close this in favour of tracking all these together in #545