Hostkey error when pulling or building from private git repository

  • Open
  • quality assurance status badge
Details
3 participants
  • Atte Torri
  • Frederickson, Jonathan
  • Tim Johann
Owner
unassigned
Submitted by
Atte Torri
Severity
normal
A
A
Atte Torri wrote on 27 Mar 17:09 +0100
(name . bug-guix)(address . bug-guix@gnu.org)
1156672208.1243481.1711555774538.JavaMail.zimbra@universite-paris-saclay.fr
Hello,

I get an error message when trying to `guix pull` a channel from a private git repository or when trying to `guix build` a package from a private git repository
Previously it worked great up until a few days ago. I have tested it on multiple machines and get the same error, as well as for private repositories hosted on gitlab and github.

This is the error message I get when I pull (for build it is essentially the same)

atte@beryllium:~$ guix pull
Updating channel 'guix-test' from Git repository at 'git@github.com:Blixodus/guix-test.git'...
guix pull: error: Git error: failed to set hostkey preference: The requested method(s) are not currently supported


And this is how I define channels in .config/guix/channels.scm, with a url to a private git repository by ssh

(list (channel
(name 'guix-test)
(url "git@github.com:Blixodus/guix-test.git")
(branch "main")))

Atte Torri
Attachment: file
T
T
Tim Johann wrote on 10 Apr 12:14 +0200
(address . 70034@debbugs.gnu.org)
87h6g97br1.fsf@phrogstar.de
Hi there,

I have experienced the same problem, and have a little piece of the puzzle. As I looked at the server hosting my own private channel I saw the line

Unable to negotiate with XXX.XXX.XXX.XXX port 45072: no matching host key type found. Their offer: ssh-rsa [preauth]

which means that the guix pull command only uses a Hostkey using an algorithm that is not in the default configuration of the sshd HostKeyAlgorithms (as it is considered too weak for keys of a size <2048 bits?).

The workaround I am using is a line

HostKeyAlgorithms +ssh-rsa

in my server's sshd_config (and using a key of a size of 4096 bits).

Nevertheless, I would like to see guix pull using a host key with a different algorithm - or a larger variety of host keys.

Hoping that helps,

Cheers

Tim
Attachment: file
F
F
Frederickson, Jonathan wrote on 11 Apr 19:34 +0200
Hostkey error when pulling or building from private git repository
(name . 70034@debbugs.gnu.org)(address . 70034@debbugs.gnu.org)
5fecc1a205e3668345b02153623e65064bf12abd.camel@akamai.com
I just ran into this issue as well. I spent some time bisecting last
night and tracked it down to a change in guile-git's dependency on
libgit2:

9f00975f55e569fc3ba204fc34261a942a19b4e5 is the first bad commit
commit 9f00975f55e569fc3ba204fc34261a942a19b4e5
Author: Ludovic Courtès <ludo@gnu.org>
Date: Mon Feb 26 22:15:57 2024 +0100
gnu: guile-git: Depend on libgit2 1.7.
* gnu/packages/guile.scm (guile-git)[inputs]: Replace LIBGIT2-1.3
with
LIBGIT2-1.7.
Change-Id: Ia386f977b0888b7bd9b26443ac6150428fda2155
gnu/packages/guile.scm | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
Attachment: smime.p7s
F
F
Frederickson, Jonathan wrote on 12 Apr 16:50 +0200
(name . 70034@debbugs.gnu.org)(address . 70034@debbugs.gnu.org)
3664e546721f49f4c1c74be198989b9479945037.camel@akamai.com

And one of the comments on that issue from the libgit2 maintainer made
me realize there's a workaround. Using github.com as an example since
the initial report was having trouble with a channel on github, if you
run this:

$ ssh-keyscan github.com >> ~/.ssh/known_hosts

...it seems to fix the issue, because ssh-keyscan fetches host keys of
all types from the remote host, rather than just one (as seems to
happen when you connect to a remote host via SSH normally).

Obviously would prefer a proper fix, but this is a relatively low-
impact workaround for now.
Attachment: smime.p7s
?