Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RSA public keys cannot authenticate against internal SSH if the client has a recent ssh version (which disables ssh-rsa algorithm) #17798

Closed
zeripath opened this issue Nov 24, 2021 · 10 comments · Fixed by #21792
Labels
issue/workaround it is or has a workaround type/upstream This is an issue in one of Gitea's dependencies and should be reported there

Comments

@zeripath
Copy link
Contributor

zeripath commented Nov 24, 2021

Gitea Version

1.15.x/1.16.x till the latest

Operating System

  • Any SSH client with ssh-rsa algorithm disabled (ex: OpenSSH >= 8.8)

How are you running Gitea?

Builtin/Internal SSH (ex: docker-rootless or START_SSH_SERVER=true in app.ini)

Can you reproduce the bug on the Gitea demo site?

Yes

Description

The ssh-rsa key signing algorithm is disabled on recent ssh versions. Although #17281 means that Gitea will offer rsa-sha2-256 and rsa-sha2-512 for the host key verification - it does not fix the issue of advertising and handling the public key signing algorithm.

This failure then results in ssh authentication failing.

How to reproduce

Use a newer version of SSH where this is disabled and attempt to authenticate using an RSA key.

On older versions of SSH:

ssh -o PubkeyAcceptedKeyTypes=-ssh-rsa,+rsa-sha2-256 ...

Unfortunately OpenSSH have changed the name of this option across versions and in newer versions, including the affected version, this option is called: PubkeyAcceptedAlgorithms

So if the above fails with an error try:

ssh -o PubkeyAcceptedAlgorithms=-ssh-rsa ...

Workaround

  • On affected clients, add -o PubkeyAcceptedAlgorithms=+ssh-rsa to the ssh command line (In the unlikely event you have an older version which has deliberately disabled the ssh-rsa algorithm you will need to add
    -o PubkeyAcceptedKeyTypes=+ssh-rsa)
  • Use other supported SSH key formats
  • Use OpenSSH server instead of builtin SSH server (ex: use Docker instead of Docker-rootless)

History of this issue

For speed I'm going to collect things here:

What is actually needed

The fundamental issue is not resolvable within Gitea without forking and otherwise reimplementing the ssh server. We will need to address this problem upstream.

There are two major structural issues:

  • Signers need to be separately configurable and advertisable apart from the key types that they sign. The commit mentioned above may have degraded the ability of users of the upstream ssh package to disable the ssh-rsa signing algorithm in future and this needs to be addressed.
  • The Handshake needs to support extension negotiation https://datatracker.ietf.org/doc/html/rfc8308 and in particular the SSH_MSG_EXT_INFO extension described therein.
@suchAdemon

This comment has been minimized.

@zeripath

This comment has been minimized.

@ghost
Copy link

ghost commented Jan 1, 2022

Belive I just hit this issue on gitea.com just now. Ended up switching to ed25519 from RSA and the issue was resolved.

With RSA what I saw trying to clone via SSH:

git@gitea.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Debugged with:

ssh -vT git@gitea.com

Everything looked fine. But then I remembered ed25519 was an option looking at the SSH key input placeholder text in the Gitea key input field, switched as I prefer it anyway, and was able to use SSH again.

@trading-peter
Copy link

trading-peter commented Jan 24, 2022

A easy and transparent workaround:

Set "HostkeyAlgorithms" and "PubkeyAcceptedKeyTypes" in ~/.ssh/config

Host <Your Git Name>
  HostkeyAlgorithms +ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa

@6543
Copy link
Member

6543 commented Feb 10, 2022

#17786 :D

Gusted pushed a commit to Gusted/gitea that referenced this issue Feb 10, 2022
- Update SSH server libraries to support extensions negotations.
- The extensions negotations are needed to communitcate with algorithms are accepted for "publickey" auth.
- This PR adds 2 libraries. The modifed golang.org/x/crypto libraries(this in order to not mismatch with types in ssh.go) and a patched "github.com/gliderlabs/ssh" that has been modified in order to use the modified crypto library.
- Resolves go-gitea#17798
sgotti added a commit to sgotti/agola that referenced this issue Mar 22, 2022
Newer versions of openssh client disables ssh-rsa sha1 public key
signature algorithm.

Unfortunately gitea ssh server requires this signature algorithm instead
of using the stronger rsa-sha2-256/rsa-sha2-512 (see
go-gitea/gitea#17798)

So, as a temporary workaround, force enable on the ssh client the
ssh-rsa sha1 signature algorithm.
sgotti added a commit to sgotti/agola that referenced this issue Mar 22, 2022
Newer versions of openssh client disables ssh-rsa sha1 public key
signature algorithm.

Unfortunately gitea ssh server requires this signature algorithm instead
of using the stronger rsa-sha2-256/rsa-sha2-512 (see
go-gitea/gitea#17798)

So, as a temporary workaround, force enable on the ssh client the
ssh-rsa sha1 signature algorithm.
sgotti added a commit to sgotti/agola that referenced this issue Mar 22, 2022
Newer versions of openssh client disables ssh-rsa sha1 public key
signature algorithm.

Unfortunately gitea ssh server requires this signature algorithm instead
of using the stronger rsa-sha2-256/rsa-sha2-512 (see
go-gitea/gitea#17798)

So, as a temporary workaround, force enable on the ssh client the
ssh-rsa sha1 signature algorithm.
sgotti added a commit to sgotti/agola that referenced this issue Mar 23, 2022
Newer versions of openssh client disables ssh-rsa sha1 public key
signature algorithm.

Unfortunately gitea ssh server requires this signature algorithm instead
of using the stronger rsa-sha2-256/rsa-sha2-512 (see
go-gitea/gitea#17798)

So, as a temporary workaround, force enable on the ssh client the
ssh-rsa sha1 signature algorithm.
sgotti added a commit to sgotti/agola that referenced this issue Mar 23, 2022
Newer versions of openssh client disables ssh-rsa sha1 public key
signature algorithm.

Unfortunately gitea ssh server requires this signature algorithm instead
of using the stronger rsa-sha2-256/rsa-sha2-512 (see
go-gitea/gitea#17798)

So, as a temporary workaround, force enable on the ssh client the
ssh-rsa sha1 signature algorithm.
sgotti added a commit to sgotti/agola that referenced this issue Mar 23, 2022
Newer versions of openssh client disables ssh-rsa sha1 public key
signature algorithm.

Unfortunately gitea ssh server requires this signature algorithm instead
of using the stronger rsa-sha2-256/rsa-sha2-512 (see
go-gitea/gitea#17798)

So, as a temporary workaround, force enable on the ssh client the
ssh-rsa sha1 signature algorithm.
@wxiaoguang wxiaoguang added type/upstream This is an issue in one of Gitea's dependencies and should be reported there issue/workaround it is or has a workaround labels Apr 20, 2022
@h8nor
Copy link

h8nor commented Jul 4, 2022

And the reverse situation. If the following message is displayed testing operation of the key:

Unable to negotiate with 192.168.254.254 port 22: no matching host key type found.
Their offer: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

Remove lines 3 and 4 from the config file (if the text from the example was used):

Host *
  AddKeysToAgent yes
  IdentityFile ~/.ssh/id_rsa
  HostKeyAlgorithms ssh-rsa
  ForwardAgent yes

@ChrisWitt
Copy link

God overview and transparent problem handling. This encourages trust in your project. I am a happy user :)
Of course also because of the great service gitea provides!

@dreirund
Copy link

dreirund commented Aug 9, 2022

A easy and transparent workaround:

Set "HostkeyAlgorithms" and "PubkeyAcceptedKeyTypes" in ~/.ssh/config

That should not be considered valid, since the algorithm behind it is known as weak.

Please support up-to-date crypto algorithms. Forcing users to use weak algorithms is not acceptable.

Reason to not re-install gitea after a just-done server upgrade.

@MartinX3

This comment was marked as duplicate.

@PKizzle
Copy link

PKizzle commented Aug 15, 2022

An alternative workaround that might be more secure (I only quickly checked the source code) is to temporarily replace golang.org/x/crypto with a patched version for RFC8308

replace golang.org/x/crypto => github.com/rmohr/crypto v0.0.0-20211203105847-e4ed9664ac54

Additionally you will need to adjust SSH_SERVER_KEY_EXCHANGES to replace curve25519-sha256 with curve25519-sha256@libssh.org

@go-gitea go-gitea locked and limited conversation to collaborators Aug 15, 2022
Gusted pushed a commit to Gusted/gitea that referenced this issue Nov 12, 2022
- Update the crypto dependency to include golang/crypto@6fad3df
- Resolves go-gitea#17798
Gusted pushed a commit to Gusted/gitea that referenced this issue Nov 12, 2022
- Backport go-gitea#21792
  - Update the crypto dependency to include golang/crypto@6fad3df
  - Resolves go-gitea#17798
Gusted pushed a commit to Gusted/gitea that referenced this issue Nov 12, 2022
- Backport go-gitea#21792
  - Update the crypto dependency to include golang/crypto@6fad3df
  - Resolves go-gitea#17798
jolheiser pushed a commit that referenced this issue Nov 13, 2022
- Update the crypto dependency to include
golang/crypto@6fad3df
- Resolves #17798

Executed: `go get
golang.org/x/crypto@6fad3dfc18918c2ac9c112e46b32473bd2e5e2f9 && rm
go.sum && go mod tidy`
jolheiser pushed a commit that referenced this issue Nov 13, 2022
- Backport #21792
- Update the crypto dependency to include
golang/crypto@6fad3df
  - Resolves #17798
techknowlogick pushed a commit that referenced this issue Nov 13, 2022
- Backport #21792
- Update the crypto dependency to include
golang/crypto@6fad3df
  - Resolves #17798

Co-authored-by: John Olheiser <john.olheiser@gmail.com>
fsologureng pushed a commit to fsologureng/gitea that referenced this issue Nov 22, 2022
- Update the crypto dependency to include
golang/crypto@6fad3df
- Resolves go-gitea#17798

Executed: `go get
golang.org/x/crypto@6fad3dfc18918c2ac9c112e46b32473bd2e5e2f9 && rm
go.sum && go mod tidy`
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
issue/workaround it is or has a workaround type/upstream This is an issue in one of Gitea's dependencies and should be reported there
Projects
None yet
Development

Successfully merging a pull request may close this issue.

10 participants