Internal SSH server and common ciphers

[Aohzan]

Describe the bug
Hello,
I can't make a SSH connection between my computer (Arch updated) and my gogs server
Computer:

Unable to negotiate with gogs_ip port 22: no matching host key type found. Their offer: ssh-rsa

Server:

2021/09/28 16:38:54 [ERROR] [.../gogs-source/internal/ssh/ssh.go:151 func1()] SSH: Error on handshaking: ssh: no common algorithm for host key; client offered: [rsa-sha2-512-cert-v01@openssh.com rsa-sha2-256-cert-v01@openssh.com rsa-sha2-512 rsa-sha2-256 ssh-ed25519-cert-v01@openssh.com ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com sk-ssh-ed25519-cert-v01@openssh.com sk-ecdsa-sha2-nistp256-cert-v01@openssh.com ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 sk-ssh-ed25519@openssh.com sk-ecdsa-sha2-nistp256@openssh.com], server offered: [ssh-rsa]

I updated SSH_SERVER_CIPHERS to handle additionnal ciphers handled by my computer like

SSH_SERVER_CIPHERS = rsa-sha2-256, rsa-sha2-512, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128

or with all the algorithm in the log, but doesn't work :(

Thank for the help

Gogs version and commit
Tried on 0.12.3 and 0.13.0+dev (commitfa3d011415c21a6e4d2e6500d589ca17cf39090f)

Git version
2.30.2

Go version
go1.15.9

Operating system
Debian Bullseye

Database
mariadb-server-10.6 1:10.6.4+maria~bullseye

To Reproduce
git pull or push on any repository

Can you reproduce the bug at https://try.gogs.io?
Erorr 500 while trying to create a repo on try.gogs.io

Expected behavior
SSH connection made

Actual behavior
no matching host key type found.

[G2G2G2G]

Switch to ed25519 by default. RSA was vulnerable 10 years ago.

[aft2d]

How exactly does that work?
I generated a key with ssh-keygen -t ed25519 -f gogs.ed25519 and modified my app.ini like this

[server]
SSH_SERVER_HOST_KEYS     = /opt/gogs/data/ssh/gogs.ed25519

After a restart, it still uses the rsa keys.
Is there anything I'm missing?

[G2G2G2G]

(on gitea) that's 100% correct, I assume gogs is the same. Your logs should say why it is using those, you are using the internal SSH not the one on your system yea? If you're using your system's sshd service you need in /etc/ssh/sshd_config something like:

Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key

(it generates an ed25519 key by default, but doesn't use it? (it might now idk) however it's genned a key for like 10+ years and not used it by default, so I always set it on all my servers

I set my gitea key as chown gitea:gitea (the user that runs your gogs) and chmod 600 on permissions, I know openssh etc won't even let you use keys (unless you're root) if your permissions aren't rw only for that user. (sometimes read only)

[aft2d]

Your logs should say why it is using those,

Nope, nothing in the logs. Even with Trace log-level

you are using the internal SSH not the one on your system yea?

Yep, I'm using internal SSH

(on gitea) that's 100% correct, I assume gogs is the same

Probably not:
I digged a bit through the source code.
In Gogs the SSH_SERVER_HOST_KEYS setting does not exist.
Gogs: https://github.com/gogs/gogs/blob/main/internal/conf/static.go#L47
Gitea: https://github.com/go-gitea/gitea/blob/83df0caf15c4a8c3b9336987f329501507c6d527/modules/setting/setting.go#L125
Even a search int the whole repo does not return any result.

In addition you can see here that the path is hardcoded in Gogs.

[G2G2G2G]

oh, well you used that setting so I assumed you already checked if it existed. I don't use gogs so didn't look lmao.
If you can't use your own key with them that's definitely an issue, if they let you change the encryption types you can prob change their default key I guess, idk.