unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#64648: Can't clone a git repo over anonymous SSH
@ 2023-07-15 13:25 Edouard Klein
  2023-07-20 13:17 ` Maxim Cournoyer
  0 siblings, 1 reply; 4+ messages in thread
From: Edouard Klein @ 2023-07-15 13:25 UTC (permalink / raw)
  To: 64648

Hi all !

I'm trying to write a package for a repo that's accessible through an
anonymous SSH access.

The repo can be cloned with:
git clone git@the-dam.org:permaudit
without any issues.

However, when I use the package definition below, I get the following
error:
guix build: error: Git failure while fetching ssh://git@the-dam.org/permaudit: failed to start SSH session: Unable to exchange encryption keys

Some googling leads me to believe this is a mismatch between the
client's accepted ciphers and the server's accepted ciphers, but both
machines are up-to-date guix systems, so I'm not sure it's that.

I don't want to install an HTTP bridge, git is fine via SSH.

If anybody has any idea, I'm all hears.

Thanks !

Edouard.




(define-public permaudit
  (let ((revision "0")
        (commit "1cd9fe303076d7656469dbfc455d63aff70d62ed"))
    (package
      (name "permaudit")
      (version (git-version "20230714" revision commit))
      (source
       (git-checkout
        (url "ssh://git@the-dam.org/permaudit")
        (commit commit)))
      (build-system gnu-build-system)
      (arguments
       `(#:tests? #f                    ; no tests
         #:phases
         (modify-phases %standard-phases
           (replace 'configure          ; no configure script but taking this
                                        ; opportunity to replace the hard
                                        ; coded path to permaudit.sh
             (lambda* (#:key inputs outputs #:allow-other-keys)
               (let* ((out (assoc-ref outputs "out"))
                      (bin (string-append out "/bin"))
                      (bash (assoc-ref inputs "bash-minimal")))
                 (substitute* "permaudit_wrapper.c"
                   (("/usr/bin/permaudit.sh")
                    (string-append bin "/permaudit.sh"))
                   (("/bin/bash")
                    (string-append bash "/bin/bash")))
                 (substitute* "permaudit.sh"
                   (("/bin/bash")
                    (string-append bash "/bin/bash"))
                   (("find")
                    (string-append find "/bin/find"))))))
           (replace 'install            ; no install target
             (lambda* (#:key outputs #:allow-other-keys)
               (let* ((out (assoc-ref outputs "out"))
                      (bin (string-append out "/bin")))
                 ;; Those chmod won't be respected in the store anyway
                 ;; (the store is read-only, and you can't setuid a binary in it)
                 ;; but this is the spirit of upstream's makefile target "install"
                 (chmod "permaudit.sh" #o644)
                 (install-file "permaudit.sh" bin)
                 (chmod "permaudit" #o4754)
                 (install-file "permaudit" bin)))))))
      (inputs
       (list bash-minimal coreutils))
      (synopsis "Permission audit tool")
      (home-page "https://the-dam.org/docs/explanations/permaudit.html")
      (description
       "Permaudit lets you see who can read or write on the specified directory.")
      (license license:agpl3+))))




^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#64648: Can't clone a git repo over anonymous SSH
  2023-07-15 13:25 bug#64648: Can't clone a git repo over anonymous SSH Edouard Klein
@ 2023-07-20 13:17 ` Maxim Cournoyer
  2023-07-31  9:18   ` Edouard Klein
  0 siblings, 1 reply; 4+ messages in thread
From: Maxim Cournoyer @ 2023-07-20 13:17 UTC (permalink / raw)
  To: Edouard Klein; +Cc: 64648

Hi,

Edouard Klein <edou@rdklein.fr> writes:

> Hi all !
>
> I'm trying to write a package for a repo that's accessible through an
> anonymous SSH access.
>
> The repo can be cloned with:
> git clone git@the-dam.org:permaudit
> without any issues.
>
> However, when I use the package definition below, I get the following
> error:
> guix build: error: Git failure while fetching ssh://git@the-dam.org/permaudit: failed to start SSH session: Unable to exchange encryption keys
>
> Some googling leads me to believe this is a mismatch between the
> client's accepted ciphers and the server's accepted ciphers, but both
> machines are up-to-date guix systems, so I'm not sure it's that.
>
> I don't want to install an HTTP bridge, git is fine via SSH.
>
> If anybody has any idea, I'm all hears.

Don't they also offer a HTTP(S) access?  I think libssh as used by
libgit2 expects an SSH agent running... I remember wresting with it in a
CI context.

-- 
Thanks,
Maxim




^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#64648: Can't clone a git repo over anonymous SSH
  2023-07-20 13:17 ` Maxim Cournoyer
@ 2023-07-31  9:18   ` Edouard Klein
  2023-08-01 14:15     ` Maxim Cournoyer
  0 siblings, 1 reply; 4+ messages in thread
From: Edouard Klein @ 2023-07-31  9:18 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: 64648

Hi !

>
> Don't they also offer a HTTP(S) access?  I think libssh as used by
> libgit2 expects an SSH agent running... I remember wresting with it in a
> CI context.

Well, "they" is me :) I finally opened up anonymous access via git://
but I'm not extatic about it, it's one more daemon that can be pwnd.

https://gitlab.com/edouardklein/guix/-/commit/40e320d14b4c583214cdbd45fb47453c5ebb762a

The dedicated service did not work so I rolled my own as a
sheperd-root-service. I did not have the time to look into the issue.

So the problem remains, but is less urgent because it has been worked
around for now. Fixing this upstream seems like a hard battle.




^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#64648: Can't clone a git repo over anonymous SSH
  2023-07-31  9:18   ` Edouard Klein
@ 2023-08-01 14:15     ` Maxim Cournoyer
  0 siblings, 0 replies; 4+ messages in thread
From: Maxim Cournoyer @ 2023-08-01 14:15 UTC (permalink / raw)
  To: Edouard Klein; +Cc: 64648

Hello,

Edouard Klein <edou@rdklein.fr> writes:

> Hi !
>
>>
>> Don't they also offer a HTTP(S) access?  I think libssh as used by
>> libgit2 expects an SSH agent running... I remember wresting with it in a
>> CI context.
>
> Well, "they" is me :) I finally opened up anonymous access via git://
> but I'm not extatic about it, it's one more daemon that can be pwnd.
>
> https://gitlab.com/edouardklein/guix/-/commit/40e320d14b4c583214cdbd45fb47453c5ebb762a
>
> The dedicated service did not work so I rolled my own as a
> sheperd-root-service. I did not have the time to look into the issue.
>
> So the problem remains, but is less urgent because it has been worked
> around for now. Fixing this upstream seems like a hard battle.

OK; I think the best course of action here would be to come up with a
minimal reproducer written in C using all the API available of libgit2
or libssh2 (which is used by libgit2) and report any issue to their
issue tracker and/or work toward a fix.

It'd be interesting to see how libssh compares, and perhaps attempting
to revive this pull request which adds 'libssh' as a backend to libgit2
here [0]

[0]  https://github.com/libgit2/libgit2/pull/5253

-- 
Thanks,
Maxim




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-08-01 14:16 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-15 13:25 bug#64648: Can't clone a git repo over anonymous SSH Edouard Klein
2023-07-20 13:17 ` Maxim Cournoyer
2023-07-31  9:18   ` Edouard Klein
2023-08-01 14:15     ` Maxim Cournoyer

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).