Re: Git failed to pull after upgrading to 2.33.1, using choco

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2021-10-19 at 02:48:59, Bryan Turner wrote:
> On Mon, Oct 18, 2021 at 7:34 PM LL L <lll@xxxxxxxxxxxxx> wrote:
> >
> > What happened instead? (Actual behavior)
> >
> > git@xxxxxxxxxxxx: Permission denied (publickey).
> > fatal: Could not read from remote repository.
> >
> > Please make sure you have the correct access rights
> > and the repository exists.
> 
> Most likely you're running afoul of an OpenSSH 8.8p1 upgrade in Git
> for Windows 2.33. OpenSSH 8.8 disables ssh-rsa key exchanges by
> default[1], which results in this sort of error. Git for Windows
> 2.32.2 was using OpenSSH 8.7 (or perhaps OpenSSH 8.5).
> 
> [1] https://www.openssh.com/txt/release-8.8; see the
> "Potentially-incompatible changes" section.

Yes, this is almost certainly the problem.  Note that this change was
made because while RSA _keys_ are still secure, the SHA-1 signatures
being used are not, and so folks need to either use those RSA keys with
SHA-2 or switch keys.

> > debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
> > debug1: Remote protocol version 2.0, remote software version Go-CodingGit
> > debug1: no match: Go-CodingGit

Go's SSH library is known to have various problems with RSA keys and
SHA-2, so if this site is using that library, then it may be the cause
of your problems.  I know they're aware of this problem, so hopefully
they'll be able to work on it soon.

> > debug1: Authenticating to e.coding.net:22 as 'git'
> > debug1: SSH2_MSG_KEXINIT sent
> > debug1: SSH2_MSG_KEXINIT received
> > debug1: kex: algorithm: curve25519-sha256@xxxxxxxxxx
> > debug1: kex: host key algorithm: rsa-sha2-512
> 
> Looks like the server supports more secure RSA key exchanges, which is good.

This is encouraging, but I don't think it's sufficient in this case.

You may want to generate a new Ed25519 SSH key with "ssh-keygen -t
ed25519" and use that instead, provided the site supports that.  Many
sites do, and those keys aren't subject to any of the problems you've
seen here.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux