jj-vcs
jj git over ssh fails with sha-1 key
Description
I'm not sure if there's some magic that's happening that allows git to clone an ssh+git repo with a SHA-1 key, but jj won't, but it happens every time. Not that SHA-1 keys are good, just that enforcement seems to be different from git.
Steps to Reproduce the Problem
ssh-add -L | grep ssh-rsareturns a key.jj git remote add origin [email protected]:<username>/jj.gitjj git fetch
Expected Behavior
❯ jj git fetch
Nothing changed.
Actual Behavior
❯ jj git fetch
Error: Unexpected git error when fetching: ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.
; class=Ssh (23); code=Eof (-20)
git clone/git fetch with the same URL works fine.
Specifications
- Platform: Linux
- Version:
HEAD-980004e(latest main branch as of a few minutes ago)
Thanks for the report. I'm pretty sure that's a limitation of our very naive support for authentication. That's documented here and implemented here. In short, we only support a password-less key called exactly ~/.ssh/id_rsa as well as ssh-agent. Maybe the difference between Git is that you have also have e.g. an ed25519 key that's picked up by Git?
I recommend using ssh-agent even once we've improved the authentication support.
Yep, ssh-agent forwarded remotely.
❯ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2Tdw70nlJ4mjS1mSnoK1zNBFAzHJOCLzW0L4mH+PQiM1dTzMeMNcqMgBN70Nj2oBsORU0nnC9FF/vx1HdxM+OPCPK+nJd9Hqu1ftQrcy4giQr5PSw6F4ZoMulIw6Sdf16eETzGNLVvSGdrXvS6ygyBZRf4d7bhYkE+S7CX/VtlT8A5SIFHhXxzW5mujyn64BtEVJTmu8/3JCF3LL5192L5VB4gS+pKQfS++wD/ySnFGcd3MygWFFjYAKS9N+tTejKdXpxR/KHcngKFYBSIazIquY3jkhs82NJf3ryVX5w23UO4FFiq2Mn+wqnzbFXJwbuEy07BBVZE2pHuIDrV6RlgfR78lxxnA82qvE/ZA1F0koZOP3DbamGRPSVASvIOzHwql1P2YZ36vQC0it6V4aLh+JDNzJxHIx5d2foBibg+tCKh4ReCTPkaR9+PdSZAAgTXlSiQAaB+UVnPbkxCa0/FV7km8DYVzolonKdv7UX9ijzj0qHL44sGF2MkAw/6e2s/qlrV+2pBADT/Q1sxG5R+5AGmk0hW0sW4yml3Gjat40D8Ts4ibyNU7o+C9Y/qI5LQV2sovAemsFqcnKj8GBp6AW9r83muSjoqAdVzWWt4xYEa0Jg3YwcZNIz/s254Rqe5SicYAK8R+oKhi9ywjhKvGp/6H86upPH0Rke/o9zKw== randall
randall in igra in ~/code/jj_jj is 📦 v0.4.0 via 🦀 v1.62.0
❯ set | grep -i SSH_A
SSH_AUTH_SOCK=/tmp/ssh-XXXXOQ3GP1/agent.3496715
randall in igra in jj on main [$] is 📦 v0.4.0 via 🦀 v1.62.0
❯ git remote -v
origin [email protected]:ClashTheBunny/jj.git (fetch)
origin [email protected]:ClashTheBunny/jj.git (push)
upstream https://github.com/martinvonz/jj.git (fetch)
upstream https://github.com/martinvonz/jj.git (push)
randall in igra in jj on main [$] is 📦 v0.4.0 via 🦀 v1.62.0
❯ git pull
Already up to date.
randall in igra in ~/code/jj_jj is 📦 v0.4.0 via 🦀 v1.62.0
❯ jj git remote remove origin
randall in igra in ~/code/jj_jj is 📦 v0.4.0 via 🦀 v1.62.0
❯ jj git remote add origin [email protected]:ClashTheBunny/jj.git
randall in igra in ~/code/jj_jj is 📦 v0.4.0 via 🦀 v1.62.0
❯ jj git fetch
Error: Unexpected git error when fetching: ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.
; class=Ssh (23); code=Eof (-20)
This does look like something upstream, given how thin the wrap is around authentication there. Espeically since the error message does seem to be the upstream github message. I looked at git2 and libssh2's changelogs, and nothing jumped out about SHA-1. It does look like there's two years of upsdates to libssh2's wrapper since the version in libgit2-sys's Cargo.toml.