Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

no matching key exchange method found #6812

Open
rogfut opened this issue Jul 27, 2021 · 6 comments
Open

no matching key exchange method found #6812

rogfut opened this issue Jul 27, 2021 · 6 comments
Labels
bug Something isn't working component:git Interaction with GitHub, Gitlab etc

Comments

@rogfut
Copy link

rogfut commented Jul 27, 2021
edited
Loading

If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a question in argocd slack channel.

Checklist:

  • [ x ] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • [ x ] I've included steps to reproduce the bug.
  • [ x ] I've pasted the output of argocd version.

Describe the bug
When argocd runs git fetch from a private repo that uses diffie-hellman-group1-sha1 and/or diffie-hellman-group14-sha1, git fetch fails with no matching key exchange method found

Related to issue 6209

Seems like this should have been fixed with this commit

To Reproduce

argocd repo add git@myrepo.example.com:some/path/_git/myproject --ssh-private-key-path /home/roger/.ssh/myrepo

argocd app create myapp \
  --dest-namespace myapp \
  --dest-server https://kubernetes.default.svc \
  --repo git@myrepo.example.com:some/path/_git/myproject \
  --path myapp \
  --revision HEAD \
  --directory-recurse \
  --loglevel debug

FATA[0000] rpc error: code = InvalidArgument desc = application spec is invalid: InvalidSpecError: Unable to get app details: rpc error: code = Internal desc = Failed to fetch <commit_id>: `git fetch origin --tags --force` failed exit status 128: Unable to negotiate with <private IP address or hostname> port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists

Expected behavior

I would expect commit 4accaa54004b746abc4fe05ef840bfe58ebdffc6 would have fixed the issue by adding diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1 on lines 14 and 15 of util/git/ssh.go

Version

argocd: v2.0.3+8d2b13d.dirty
  BuildDate: 2021-05-27T19:54:02Z
  GitCommit: 8d2b13d733e1dff7d1ad2c110ed31be4804406e2
  GitTreeState: dirty
  GoVersion: go1.16.4
  Compiler: gc
  Platform: linux/amd64
argocd-server: v2.0.4+0842d44
  BuildDate: 2021-06-23T01:27:53Z
  GitCommit: 0842d448107eb1397b251e63ec4d4bc1b4efdd6e
  GitTreeState: clean
  GoVersion: go1.16
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: v0.13.1
  Kustomize Version: v3.9.4 2021-02-09T19:22:10Z
  Helm Version: v3.5.1+g32c2223
  Kubectl Version: v0.20.4
  Jsonnet Version: v0.17.0

Logs

FATA[0000] rpc error: code = InvalidArgument desc = application spec is invalid: InvalidSpecError: Unable to get app details: rpc error: code = Internal desc = Failed to fetch <commit_id>: `git fetch origin --tags --force` failed exit status 128: Unable to negotiate with <private IP address or hostname> port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists
@rogfut rogfut added the bug Something isn't working label Jul 27, 2021
@alexmt
Copy link
Collaborator

alexmt commented Jul 27, 2021

Please try removing path from repo url. Path should be specified in app spec

argocd repo add git@myrepo.example.com --ssh-private-key-path /home/roger/.ssh/myrepo

@alexmt alexmt added answered works-for-me Works as intended, or unable to reproduce and removed bug Something isn't working labels Jul 27, 2021
@rogfut
Copy link
Author

rogfut commented Jul 27, 2021
edited
Loading

Path in the URL is the root of the git repo, I was following this convention in the argocd repo add examples (without the insecure flag):

# Add a Git repository via SSH using a private key for authentication, ignoring the server's host key:
argocd repo add git@git.example.com:repos/repo --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa

git@myrepo.example.com is actually the git server itself, and the repo url is git@myrepo.example.com:some/path/_git/myproject

Tried it, got the following failure:

argocd repo add git@myrepo.example.com --ssh-private-key-path /home/roger/.ssh/myrepo
FATA[0000] rpc error: code = Unknown desc = repository not found

@rogfut
Copy link
Author

rogfut commented Jul 27, 2021

I see that this was tagged as "works for me". To confirm @alexmt , you successfully connected argocd-server to a git repo that only offers diffie-hellman-group1-sha1 and/or diffie-hellman-group14-sha1 Kex Algorithms?

@alexmt
Copy link
Collaborator

alexmt commented Jul 27, 2021

hello @rogfut ,

Looks like I changed labels too quickly - adding bug label again. I assumed that error happens due to path in the repo URL but did not validate that Argo CD works with diffie-hellman-group1-sha1 and/or diffie-hellman-group14-sha1 Kex Algorithms. I think you are correct that there is an issue, sorry for the confusion.

@alexmt alexmt added component:git Interaction with GitHub, Gitlab etc bug Something isn't working and removed answered works-for-me Works as intended, or unable to reproduce labels Jul 27, 2021
@brunovianco
Copy link

brunovianco commented Mar 21, 2022
edited
Loading

I had to do an horrible and insecure workaround because the repository is a TFS 2018 and only supports diffie-hellman-group1-sha1 and/or diffie-hellman-group14-sha1, so, the solution was to create a Config Map to enable that

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-ssh-legacy-cm
  namespace: argocd
data:
  ssh_legacy.conf: |-
    KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

Then mount the volume in the argo-repo-server Deployment

volumes:
  - name: ssh-legacy
    configMap:
      name: argocd-ssh-legacy-cm
      defaultMode: 420
volumeMounts:
  - name: ssh-legacy
    mountPath: /etc/ssh/ssh_config.d

DO IT AT YOUR OWN RISK

@willbush willbush mentioned this issue Jun 22, 2022
Closed
3 tasks
@rmorilha
Copy link

As an Addition to...

I had to do an horrible and insecure workaround because the repository is a TFS 2018 and only supports diffie-hellman-group1-sha1 and/or diffie-hellman-group14-sha1, so, the solution was to create a Config Map to enable that

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-ssh-legacy-cm
  namespace: argocd
data:
  ssh_legacy.conf: |-
    KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

Then mount the volume in the argo-repo-server Deployment

volumes:
  - name: ssh-legacy
    configMap:
      name: argocd-ssh-legacy-cm
      defaultMode: 420
volumeMounts:
  - name: ssh-legacy
    mountPath: /etc/ssh/ssh_config.d

DO IT AT YOUR OWN RISK

Just the KexAlgorithms did not worked for me.
I had to add a couple more lines.

So, the workaround until Azure DevOps does not fix their known_hosts ssh key is:

  1. Create the configmap like @brunovianco mentions, but with some additional configurations specifically for Azure devops:
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-ssh-legacy-cm
  namespace: argo
data:
  ssh_legacy.conf: |-
    KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
    Host ssh.dev.azure.com
      User git
      PubkeyAcceptedAlgorithms +ssh-rsa
      HostkeyAlgorithms +ssh-rsa
  1. Afterwards is just mount the configmap as @brunovianco mentions:
volumes:
  - name: ssh-legacy
    configMap:
      name: argocd-ssh-legacy-cm
      defaultMode: 420
volumeMounts:
  - name: ssh-legacy
    mountPath: /etc/ssh/ssh_config.d

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working component:git Interaction with GitHub, Gitlab etc
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alexmt @rogfut @brunovianco @rmorilha