You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cannot use RSA pubkey auth with OpenSSH 8.8+ servers.
To Reproduce
SCENARIO 1 using MGit's (old-style) key:
Generate new 4096-bit RSA key in MGit
Export pubkey, authorize it on server (e.g. commit to gitolite-admin keydir)
Try to pull a repo using this key.
Expected Behavior:
should successfully pull.
Observed result:
On the client: Error occurred [url]: Auth cancel
On the server:
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
error: Received disconnect from 10.100.0.1 port 51485:3: com.jcraft.jsch.JSchException: Auth cancel [preauth]
SCENARIO 2 using OpenSSH's (new-style) key:
Use ssh-keygen on a modern system (Debian 11 works) to generate a 4096-bit RSA key, no passphrase, otherwise default options.
Get the key onto the phone and import it using MGit.
Try to open the key to read its pubkey.
Expected Behavior
Displays pubkey
Observed Behavior
Error occurred
Can't open this file in this device.
Smartphone (please complete the following information):
OpenSSH 8.8 has stopped accepting RSA pubkeys that use SHA1 signatures by default now, since they are considered broken. They only support RSA keys that use an SHA2 signature. It seems that MGit only supports RSA keys with SHA1 signatures and can neither generate nor import and use the newer key type.
Legacy RSA w/ SHA1 keys can supposedly be enabled in OpenSSH as a workaround, but this is strongly cautioned against, and it seems like it could effectively reduce the security of the entire host system. In addition, since this change would need to be done server-side, it's only an option for people who control their own SSH hosting.
It seems like the only proper fix for this would involve MGit updating at least some of its SSH handling components.
The text was updated successfully, but these errors were encountered:
Also maybe noteworthy: In scenario 2, if I ignore the inability to open/view the pubkey on the imported key (using OpenSSH to extract the pubkey to register) and then I try to actually pull from an SSH server using that private key, I get an error that looks very much like the one described in #574.
After some googling, I found this: https://github.com/mwiede/jsch
JSCH itself is not maintained anymore, but that fork seems to have support for the newer key formats.
I'm not sure if that would work with MGit's JGit version or if it would work at all on Android though.
Thank you for submitting this issue. This is really another aspect of #545, bascially same as #348 and the need to switch to a maintained and more modern SSH library than Jsch in order to be able to support newer crypto standards and algorithms.
I'm going to close this in favour of tracking all these together in #545
Describe the bug
Cannot use RSA pubkey auth with OpenSSH 8.8+ servers.
To Reproduce
SCENARIO 1 using MGit's (old-style) key:
Expected Behavior:
should successfully pull.
Observed result:
On the client:
Error occurred [url]: Auth cancel
On the server:
SCENARIO 2 using OpenSSH's (new-style) key:
Expected Behavior
Displays pubkey
Observed Behavior
Smartphone (please complete the following information):
Additional context
OpenSSH 8.8 has stopped accepting RSA pubkeys that use SHA1 signatures by default now, since they are considered broken. They only support RSA keys that use an SHA2 signature. It seems that MGit only supports RSA keys with SHA1 signatures and can neither generate nor import and use the newer key type.
https://www.openssh.com/txt/release-8.8 (scroll down to
Potentially-incompatible changes
section)Legacy RSA w/ SHA1 keys can supposedly be enabled in OpenSSH as a workaround, but this is strongly cautioned against, and it seems like it could effectively reduce the security of the entire host system. In addition, since this change would need to be done server-side, it's only an option for people who control their own SSH hosting.
It seems like the only proper fix for this would involve MGit updating at least some of its SSH handling components.
The text was updated successfully, but these errors were encountered: