oxygen-git-client-addon
oxygen-git-client-addon copied to clipboard
oxygenxml
Error "Too Many Authentication Failures" when using ssh URLs to Gerrit server
On Feb 27, Alex Smarandache opened an internal ticket as a response to one of Tech Writer Leads reporting repo errors when using SSH Git URLs to our Gerrit server, which uses JGit as well.
Alex had her, Shilpa, download jgit and execute the shell script jgit.sh to see if it gave the same error messages as the Add-on, and it did. Alex mentioned that he would raise the issue with the JGit project, but I don't see any recent tickets in their bugzilla that sounds similar to the problems as we've been experiencing them. https://bugs.eclipse.org/bugs/buglist.cgi?quicksearch=ssh%20product%3Ajgit
Can you provide updates here so our dev team can track it and come up with a mitigation strategy in the mean time? I'd rather not rely on one of our Tech Writers having to relay updates to our dev team. Thanks.
Hi John,
Before we put the issue on JGit, we want to install Gerrit and reproduce the problem to be able to provide the exact steps.
Our DevOps are busy with the release of Oxygen 25.1 and for this reason it is taking longer.
Also, JGit 6.5.0 will be released on March 15, 2023 and we would like to post the issue after we are sure that the problem is reproduced on this version as well.
Understood. Thanks for the update. Is v25.1 a March or April drop?
On Tue, Mar 7, 2023 at 4:21 AM Alexandru Smarandache < @.***> wrote:
Hi John,
Before we put the issue on JGit, we want to install Gerrit and reproduce the problem to be able to provide the exact steps.
Our DevOps are busy with the release of Oxygen 25.1 and for this reason it is taking longer.
Also, JGit 6.5.0 will be released on March 15, 2023 and we would like to post the issue after we are sure that the problem is reproduced on this version as well.
— Reply to this email directly, view it on GitHub https://github.com/oxygenxml/oxygen-git-client-addon/issues/175#issuecomment-1457915303, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA7OH4T3PDT3VGTR6IT6BTW24DZBANCNFSM6AAAAAAVRL3XLY . You are receiving this because you authored the thread.Message ID: @.***>
It looks like EGit in Eclipse might suffer from the same issue. I saw on some ticket that JGit might be trying the various keys in a different order than the Git command line, perhaps many in parallel, which the server interprets as a possible brute force hack attempt by trying more than the server configured maximum. In our Gerrit server, it's 4 maximum.
I get the same error in Eclipse:
as I get in Oxygen. Here's the clone dialog:
and in the Git Staging view
But the command line works fine:
According to https://bugs.chromium.org/p/gerrit/issues/detail?id=12599:
Since jgit 5.2 there is an alternative ssh implementation in jgit based on mina sshd [1]. In 5.3 we switched the default for EGit to this new implementation [2]. I think this new implementation can be considered stable.
This became an issue when our Gerrit server changed which type of keys it prefers. Our writers had to add to their ~/.ssh/config:
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
Is there any update on this issue? Are you considering an option in the Oxygen SSH preferences to choose between JGit's different ssh libraries, Java SSH std library or Mina?
We've been asked to test your upcoming LFS support, but this issue will make it harder, albeit not impossible to test, as we can create a test a Gitlab repo with LFS on another server than we usually do.
Hi John,
We already have a system property to use Jsch: useJschForSSHOperations.
To set it, you can start Oxygen from the command line and add "-DuseJschForSSHOperations" as a parameter.
I think the system property when starting the "oxygen.exe" from the command line needs to have an "oxy" prefix and look something like: https://www.oxygenxml.com/doc/versions/25.1/ug-editor/topics/set-parameter-in-startup-script.html
oxygen25.1.exe "-DoxyuseJschForSSHOperations=true"
