Error after update from 2.31.1 -> 2.36: Unable to negotiate with IP port X: no matching host key type found.

Error after update from 2.31.1 -> 2.36: Unable to negotiate with IP port X: no matching host key type found.

[Elektronik (C.Gerhardt GmbH & Co. KG)]

Hey at all, 
 
don't know if this is the right way to report a bug although I read so in https://git-scm.com/community. Never used mailing lists before so I hope I am doing well... 
 
I found that after an update from git 2.31.1. to 2.36 the authentication to our git server (running gitea 1.13.1) fails. We are getting the following error: 
 
$ git clone ssh://git@192.168.101.69:4711/CG/DT_installer_script.git
Cloning into 'DT_installer_script'...
Unable to negotiate with 192.168.101.69 port 4711: no matching host key type found. Their offer: ssh-rsa
fatal: Could not read from remote repository.
 
Please make sure you have the correct access rights
and the repository exists.
 
The SSH keys were generated with Puttygen, converted to openSSH format and are stored in c:\users\USER\.ssh\
The keys have not been changed after the update. 
 
With Version 2.31.1 it is working fine but after upgrading to 2.36 I get the above error. 
Am I doing something wrong or is this a buggy behaviour? 
OS: Win 10
 
Best regards, 
 

i.A. Stefan Mayrhofer 
C. Gerhardt GmbH & Co. KG 
Cäsariusstraße 97 
D-53639 Königswinter 

Tel.: +49 2223 2999 513 
Fax: +49 2223 2999 99 
Mail: mailto:elektronik@gerhardt.deWeb: https://www.gerhardt.de
   
----------------------------------------------------------------------------------- 
Persönlich haftende Gesellschafter: Dr. Macke GmbH, Königswinter - Vertretungsberechtigte Geschäftsführer: Jan Macke, Tom Macke 
Registergericht: Amtsgericht Siegburg - Registernummer: HRA4275 - WEEE: Reg.-Nr. DE 54940101 

Aus Rechts- und Sicherheitsgruenden ist die in dieser E-Mail gegebene Information nicht rechtsverbindlich. Eine rechtsverbindliche Bestaetigung reichen wir Ihnen gerne auf Anforderung in schriftlicher Form nach.Beachten Sie bitte, dass jede Form der unautorisierten Nutzung, Veroeffentlichung, Vervielfaeltigung oder Weitergabe des Inhalts dieser E-Mail nicht gestattet ist. Diese Nachricht ist ausschliesslich fuer den bezeichneten Adressaten oder dessen Vertreter bestimmt. Sollten Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein, so bitten wir Sie, sich mit dem Absender der E-Mail in Verbindung zu setzen. 
For legal and security reasons the information provided in this e-mail is not legally binding. Upon request we would be pleased to provide you with a legally binding confirmation in written form. Any form of unauthorised use, publication, reproduction, copying or disclosure of the content of this email is not permitted. This message is exclusively for the person addressed or their representative. If you are not the intended recipient of this message and its contents, please notify the sender immediately. 

Re: Error after update from 2.31.1 -> 2.36: Unable to negotiate with IP port X: no matching host key type found.

[Carlo Marcelo Arenas Belón]

On Tue, Apr 26, 2022 at 02:05:14PM +0000, Elektronik (C.Gerhardt GmbH & Co. KG) wrote:
>  
> I found that after an update from git 2.31.1. to 2.36 the authentication to our git server (running gitea 1.13.1) fails. We are getting the following error: 

I am guessing the issue might be the one documented in the following git for
windows issue:

  https://github.com/git-for-windows/git/issues/3468

The problem is not with git (neither a git for windows) specific issue, but
with the underlying version of openssh that is used in your server and the
best course of option is to upgrade that and generate a new host key, but
there are other options shown in that ticket that might help in the meanwhile.

Carlo

RE: Error after update from 2.31.1 -> 2.36: Unable to negotiate with IP port X: no matching host key type found.

[rsbecker]

On April 26, 2022 10:49 AM, Carlo Marcelo Arenas Belón wrote:
>On Tue, Apr 26, 2022 at 02:05:14PM +0000, Elektronik (C.Gerhardt GmbH & Co. KG)
>wrote:
>>
>> I found that after an update from git 2.31.1. to 2.36 the authentication to our git
>server (running gitea 1.13.1) fails. We are getting the following error:
>
>I am guessing the issue might be the one documented in the following git for
>windows issue:
>
>  https://github.com/git-for-windows/git/issues/3468
>
>The problem is not with git (neither a git for windows) specific issue, but with the
>underlying version of openssh that is used in your server and the best course of
>option is to upgrade that and generate a new host key, but there are other
>options shown in that ticket that might help in the meanwhile.

I noticed this prior to 2.36.0, so I do no think it is related to git. Switching OpenSSH versions triggered this situation.

Re: Error after update from 2.31.1 -> 2.36: Unable to negotiate with IP port X: no matching host key type found.

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 1669 bytes --]

On 2022-04-26 at 14:49:14, Carlo Marcelo Arenas Belón wrote:
> On Tue, Apr 26, 2022 at 02:05:14PM +0000, Elektronik (C.Gerhardt GmbH & Co. KG) wrote:
> >  
> > I found that after an update from git 2.31.1. to 2.36 the authentication to our git server (running gitea 1.13.1) fails. We are getting the following error: 
> 
> I am guessing the issue might be the one documented in the following git for
> windows issue:
> 
>   https://github.com/git-for-windows/git/issues/3468
> 
> The problem is not with git (neither a git for windows) specific issue, but
> with the underlying version of openssh that is used in your server and the
> best course of option is to upgrade that and generate a new host key, but
> there are other options shown in that ticket that might help in the meanwhile.

Yes, the error message you're seeing indicates that your version of
OpenSSH, which is used by Git for Windows, has disabled the insecure
ssh-rsa signature algorithm.  Keys using the ssh-rsa key type, which can
use ssh-rsa as the signature algorithm or the secure rsa-sha2-256 and
rsa-sha2-512, can continue to be used if you support the new signature
types.

The problem is that Gitea uses the Go SSH library, which inherits this
problem.  Gitea is tracking this as [0].  The easiest way to solve this
would be to add a host key that is Ed25519, which won't have the same
problem.

The issue I mentioned above also has a workaround to re-enable the
ssh-rsa signature type if you can't do that, but of course that's
insecure.

[0] https://github.com/go-gitea/gitea/issues/17798
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

AW: Error after update from 2.31.1 -> 2.36: Unable to negotiate with IP port X: no matching host key type found.

[Elektronik (C.Gerhardt GmbH & Co. KG)]

Thanks for the responses and explanations. I have understood that the old ssh-rsa is deprecated and will update to the new certificates and current git release by next week. Until then we'll keep the older 2.31 version so that I can work for now. As the server is located in our local network that is no big security issue.

Best regards, 

i.A. Stefan Mayrhofer 
C. Gerhardt GmbH & Co. KG 
Cäsariusstraße 97 
D-53639 Königswinter 

Tel.: +49 2223 2999 513 
Fax: +49 2223 2999 99 
Mail: elektronik@gerhardt.de 
Web: www.gerhardt.de 
----------------------------------------------------------------------------------- 
Persönlich haftende Gesellschafterin: Dr. Macke GmbH, Königswinter - Vertretungsberechtigte Geschäftsführer: Jan Macke, Tom Macke 
Registergericht: Amtsgericht Siegburg - Registernummer: HRA4275 - WEEE: Reg.-Nr. DE 54940101 

Aus Rechts- und Sicherheitsgruenden ist die in dieser E-Mail gegebene Information nicht rechtsverbindlich. Eine rechtsverbindliche Bestaetigung reichen wir Ihnen gerne auf Anforderung in schriftlicher Form nach.Beachten Sie bitte, dass jede Form der unautorisierten Nutzung, Veroeffentlichung, Vervielfaeltigung oder Weitergabe des Inhalts dieser E-Mail nicht gestattet ist. Diese Nachricht ist ausschliesslich fuer den bezeichneten Adressaten oder dessen Vertreter bestimmt. Sollten Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein, so bitten wir Sie, sich mit dem Absender der E-Mail in Verbindung zu setzen. 
For legal and security reasons the information provided in this e-mail is not legally binding. Upon request we would be pleased to provide you with a legally binding confirmation in written form. Any form of unauthorised use, publication, reproduction, copying or disclosure of the content of this email is not permitted. This message is exclusively for the person addressed or their representative. If you are not the intended recipient of this message and its contents, please notify the sender immediately. 
-----Ursprüngliche Nachricht-----
Von: brian m. carlson <sandals@crustytoothpaste.net> 
Gesendet: Dienstag, 26. April 2022 23:24
An: Carlo Marcelo Arenas Belón <carenas@gmail.com>
Cc: Elektronik (C.Gerhardt GmbH & Co. KG) <elektronik@gerhardt.de>; git@vger.kernel.org; CRM (C.Gerhardt GmbH & Co. KG) <crm@gerhardt.de>
Betreff: Re: Error after update from 2.31.1 -> 2.36: Unable to negotiate with IP port X: no matching host key type found.

On 2022-04-26 at 14:49:14, Carlo Marcelo Arenas Belón wrote:
> On Tue, Apr 26, 2022 at 02:05:14PM +0000, Elektronik (C.Gerhardt GmbH & Co. KG) wrote:
> >  
> > I found that after an update from git 2.31.1. to 2.36 the authentication to our git server (running gitea 1.13.1) fails. We are getting the following error: 
> 
> I am guessing the issue might be the one documented in the following git for
> windows issue:
> 
>   https://github.com/git-for-windows/git/issues/3468
> 
> The problem is not with git (neither a git for windows) specific issue, but
> with the underlying version of openssh that is used in your server and the
> best course of option is to upgrade that and generate a new host key, but
> there are other options shown in that ticket that might help in the meanwhile.

Yes, the error message you're seeing indicates that your version of
OpenSSH, which is used by Git for Windows, has disabled the insecure
ssh-rsa signature algorithm.  Keys using the ssh-rsa key type, which can
use ssh-rsa as the signature algorithm or the secure rsa-sha2-256 and
rsa-sha2-512, can continue to be used if you support the new signature
types.

The problem is that Gitea uses the Go SSH library, which inherits this
problem.  Gitea is tracking this as [0].  The easiest way to solve this
would be to add a host key that is Ed25519, which won't have the same
problem.

The issue I mentioned above also has a workaround to re-enable the
ssh-rsa signature type if you can't do that, but of course that's
insecure.

[0] https://github.com/go-gitea/gitea/issues/17798
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA