-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSH clone fails against remotes running newer OpenSSH versions #17772
Comments
Seems to only be an issue with the mbedTLS backend, cc @wildart |
I bet there is some flag that disables this protocol. Try to disable it with |
Ok, the solution is simple. The required numbers are larger than |
make it, 4096 |
Oh, hold on, there's an even worse bug. libssh2 passes the desired number of bits, but the mbedtls api takes bytes. |
That could be my fault. |
Well, many people took a look at that code, and nobody caught it so far, so I think there's some collective blame to go around. Let's fix it in any case. |
I wonder if fixing that would allow us to not have to patch the config file |
|
No, I think that's correct. |
The problem is in |
What we probably need to do is:
Do you want to take care of that? In that case I'll move on to something else. |
Hey, look we're not the only ones who were confused about that parameter: libssh2/libssh2#103 |
I'll fix it. Why do you need to zero out top bits%8 bits? |
Otherwise you get numbers that are too large by a couple of bits. I don't see a problem with that in the way the numbers are used by libssh2 (since g^x retains wrap-around properties), but I imagine it would be good to follow the API in any case? |
Indeed, problem was in incorrect byte size, so no config patch required. I'll submit libssh2-mbedtls patch ASAP. |
libssh2 advertises support for
diffie-hellman-group-exchange-sha256
, but that kex protocol seems to be buggy or otherwise unsupported, causing Pkg clone failures if the remote has a decently up-to-date openssh. Right now GitHub does not have support for that protocol, but we should either patch libssh2 to disable this feature of figure out what's broken to avoid nasty surprises if GitHub upgrades.The text was updated successfully, but these errors were encountered: