bug#70034: Hostkey error when pulling or building from private git repository

bug#70034: Hostkey error when pulling or building from private git repository

[Atte Torri via Bug reports for GNU Guix]

[-- Attachment #1: Type: text/plain, Size: 906 bytes --]

Hello, 

I get an error message when trying to `guix pull` a channel from a private git repository or when trying to `guix build` a package from a private git repository 
Previously it worked great up until a few days ago. I have tested it on multiple machines and get the same error, as well as for private repositories hosted on gitlab and github. 

This is the error message I get when I pull (for build it is essentially the same) 

atte@beryllium:~$ guix pull 
Updating channel 'guix-test' from Git repository at 'git@github.com:Blixodus/guix-test.git'... 
guix pull: error: Git error: failed to set hostkey preference: The requested method(s) are not currently supported 


And this is how I define channels in .config/guix/channels.scm, with a url to a private git repository by ssh 

(list (channel 
(name 'guix-test) 
(url "git@github.com:Blixodus/guix-test.git") 
(branch "main"))) 

Atte Torri 

[-- Attachment #2: Type: text/html, Size: 1596 bytes --]

bug#70034: Hostkey error when pulling or building from private git repository

[Tim Johann]

[-- Attachment #1.1: Type: text/plain, Size: 784 bytes --]

Hi there,

I have experienced the same problem, and have a little piece of the puzzle.  As I looked at the server hosting my own private channel I saw the line

Unable to negotiate with XXX.XXX.XXX.XXX port 45072: no matching host key type found. Their offer: ssh-rsa [preauth]

which means that the guix pull command only uses a Hostkey using an algorithm that is not in the default configuration of the sshd HostKeyAlgorithms (as it is considered too weak for keys of a size <2048 bits?).

The workaround I am using is a line

HostKeyAlgorithms +ssh-rsa

in my server's sshd_config (and using a key of a size of 4096 bits).

Nevertheless, I would like to see guix pull using a host key with a different algorithm - or a larger variety of host keys.

Hoping that helps,

Cheers

Tim

[-- Attachment #1.2: Type: text/html, Size: 2722 bytes --]

bug#70034: Hostkey error when pulling or building from private git repository

[Frederickson, Jonathan via Bug reports for GNU Guix]

[-- Attachment #1: Type: text/plain, Size: 671 bytes --]

I just ran into this issue as well. I spent some time bisecting last
night and tracked it down to a change in guile-git's dependency on
libgit2:

  9f00975f55e569fc3ba204fc34261a942a19b4e5 is the first bad commit
  commit 9f00975f55e569fc3ba204fc34261a942a19b4e5
  Author: Ludovic Courtès <ludo@gnu.org>
  Date:   Mon Feb 26 22:15:57 2024 +0100
  
      gnu: guile-git: Depend on libgit2 1.7.
      
      * gnu/packages/guile.scm (guile-git)[inputs]: Replace LIBGIT2-1.3 
with
      LIBGIT2-1.7.
      
      Change-Id: Ia386f977b0888b7bd9b26443ac6150428fda2155
  
   gnu/packages/guile.scm | 4 +---
   1 file changed, 1 insertion(+), 3 deletions(-)

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 4655 bytes --]

bug#70034: Hostkey error when pulling or building from private git repository

[Frederickson, Jonathan via Bug reports for GNU Guix]

[-- Attachment #1: Type: text/plain, Size: 648 bytes --]

It looks like this is https://github.com/libgit2/libgit2/issues/6612

And one of the comments on that issue from the libgit2 maintainer made
me realize there's a workaround. Using github.com as an example since
the initial report was having trouble with a channel on github, if you
run this:

$ ssh-keyscan github.com >> ~/.ssh/known_hosts

...it seems to fix the issue, because ssh-keyscan fetches host keys of
all types from the remote host, rather than just one (as seems to
happen when you connect to a remote host via SSH normally).

Obviously would prefer a proper fix, but this is a relatively low-
impact workaround for now.

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 4655 bytes --]

bug#70034: Hostkey error when pulling or building from private git repository

[David Pflug]

As another data point, I'm encountering this issue as well and
ssh-keyscan didn't resolve it.

I'm not following the code flow to try to help with this (yet?).

I can say that libgit2 doesn't seem to've made any relevant changes
since the release of 1.8.1 in May.