From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id KIdNIZTpcmeDwwAAe85BDQ:P1 (envelope-from ) for ; Mon, 30 Dec 2024 18:42:28 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id KIdNIZTpcmeDwwAAe85BDQ (envelope-from ) for ; Mon, 30 Dec 2024 19:42:28 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=zerobitcoder.net (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1735584148; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=0jqkQAs6UvkYZpATJVfla2zTQmg2dVrTNMFTOiSLrEc=; b=eDgj/IOXCLXSTi94BP57eKybHZtNpdw3+rGLsetdaZ03rsi32V3uIZZ9sg0Y4FQ1GZnwZe K6b9eXuITIXdExK9kOZKK1/dU/ZHnwwXR4hlX561LTwQ/AaYdncx6fSIoMx77iZLipw9TS 2Z6+84BbWZf/v9oLxtUuItjQ2wH3DZ4RTL1d94+yvjzt3z3GLQR0d+JbFCEgsxeO2oK4vT 32Ar0jMulAfLBg80FpGH+pjWuSyn6VRm8p4e76cs0V3MfR6gO7stz9HUWvMw8WlrqXs93R BFWRngotr1ZKjZZzH3gM6v1Qk943avpPxj5ecG5Pmju+KaO2jhmFj50nt/kdWw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=zerobitcoder.net (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1735584148; a=rsa-sha256; cv=none; b=gFsJaQpHmJSqb4thmQUtfw+6SvqMVMhzWUGbZ70yFi3Q62WQyc7iHMuvfifrO09sKpKOhZ cqK82Yn9PIpGcLS6vnstPEPfF54Uw1KHlZn9D2h8etdHf7t3dgGwieGop+A3qE3YpkE4sY 9prrMO/d3ezDKQAMWsCJFilHCbjpSLlEwihkufPwlHABTmKgqkArBF5pm+iNm9FmIF9IlO zfeQwxEeH1pgxyX+lzfs+67yxsaIMbxXTuNoPAyaiYKMOESexCe2krYMXxipDzY1KOlqwk 6RZkx9fTRpV0mXPLPh0hf3dWTe2fQvY4rWCI6iDrSsSo9Y1atUc42ikS5nTNeQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3E07A8F021 for ; Mon, 30 Dec 2024 19:42:28 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tSKiM-0007mG-Ff; Mon, 30 Dec 2024 13:42:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tRt3b-0004kX-Eu for help-guix@gnu.org; Sun, 29 Dec 2024 08:10:11 -0500 Received: from fout-a8-smtp.messagingengine.com ([103.168.172.151]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tRt3Z-0006MM-0Q for help-guix@gnu.org; Sun, 29 Dec 2024 08:10:10 -0500 Received: from phl-compute-04.internal (phl-compute-04.phl.internal [10.202.2.44]) by mailfout.phl.internal (Postfix) with ESMTP id 211CB13801D1 for ; Sun, 29 Dec 2024 08:10:06 -0500 (EST) Received: from phl-imap-02 ([10.202.2.81]) by phl-compute-04.internal (MEProxy); Sun, 29 Dec 2024 08:10:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= zerobitcoder.net; h=cc:content-transfer-encoding:content-type :content-type:date:date:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to; s=fm1; t= 1735477806; x=1735564206; bh=0jqkQAs6UvkYZpATJVfla2zTQmg2dVrTNMF TOiSLrEc=; b=J3V/hwgR07sZe4KxXfIR7c27DckZTfaRZBTRg/q5lkYYXpqg4pu ASKJlvnO38VUSBBVXw6uPGQHiyPV4OeYXpxIzi89JXBMZ8KjF8skmjtYY1hIFLq2 6oHgRSvWy9TnTtS2P7K2YNM8yAdpOpxrSgnoCkTUQu9KcsGC5elRZxCZOE2YrGxi hvM/ptDr1jEiUxhFN6kqeybZwXIiTkbe4zOur/T56CpzMqoTXbJw5VgERAp5Gqw9 GCIwuAWQt87cq6T+77dAQ7VJSQkNhosFiaHRlYLyBjh2Ca1SyoSaPMbistbrp1pK 9AcxPQm8195y2B2tbueDfwvi4WFYh6ugQlA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1735477806; x=1735564206; bh=0jqkQAs6UvkYZpATJVfla2zTQmg2dVrTNMF TOiSLrEc=; b=JATtOV9Fjit7f2Y2WPxhygzTqOTpO1zhm6w07vVW9HbPqVzAghP h6rWcngV039iS4pECqMw8/d9GnF687qaMjh6Y1FRpear+449CcggETwc0f4Bvfm8 SfhOiywuYwKPk3y9ewQTr6YEjDqDrJ67OBeBG5Ld1Q61wCqg34J9wVxxUdAahzob doFQV4El39QN5mi06VLZP/EXWmsJxkx8gVdP3SfGRFoBrAwZ4Bp81R2DUNxPT6UK Y3bzWMfOMDWchMLOLxTzyS5115VHVVag30BpCJC01QWWCxcSAWEODRmgpF+zYgiW tX0ufUp3M5RIZlvrrrV5wDqOREPqoaLd4xw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddruddvgedgheduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefoggffhf fvkffutgfgsehtjeertdertddtnecuhfhrohhmpedfofgrthhthhgvficuvfhouggufdcu oehmrghtthhhvgifseiivghrohgsihhttghouggvrhdrnhgvtheqnecuggftrfgrthhtvg hrnhepueduvdekjeejvddtledtuefhveffkeejveetvdefleffudduleetvdfggeeiteff necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhgrth hthhgvfiesiigvrhhosghithgtohguvghrrdhnvghtpdhnsggprhgtphhtthhopedupdhm ohguvgepshhmthhpohhuthdprhgtphhtthhopehhvghlphdqghhuihigsehgnhhurdhorh hg X-ME-Proxy: Feedback-ID: i03884239:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id C9A5FB00069; Sun, 29 Dec 2024 08:10:05 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface MIME-Version: 1.0 Date: Sun, 29 Dec 2024 05:09:03 -0800 From: "Matthew Todd" To: help-guix@gnu.org Message-Id: <0b9479a3-abd7-4ccf-a8e7-214b34d83a4f@app.fastmail.com> Subject: Guix pull channels via git over ssh with ed25519 host key Content-Type: text/plain Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=103.168.172.151; envelope-from=matthew@zerobitcoder.net; helo=fout-a8-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Mon, 30 Dec 2024 13:42:02 -0500 X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx11.migadu.com X-Migadu-Spam-Score: 2.51 X-Spam-Score: 2.51 X-Migadu-Queue-Id: 3E07A8F021 X-TUID: DyfR9OZmhQOK Hi GNU Guix developers / packagers, I have a couple private Guix channels on a git server on my LAN. Using a recent guix binary I am unable to pull from these channels. I believe the issue is that the libssh2 package in gnu/packages/ssh.scm is compiled with libgcrypt (--with-libgcrypt), which causes it to disable support for ed25119 hostkeys, and possibly others. This leaves only "ssh-rsa" available for libgit2, which appears to be failing because libssh2 doesn't support it due to being deprecated. Leaving no host key methods available. Example channels.scm excerpt: (channel (name 'my-guix-channel) (url "git@my-git-server.local:repos/my-guix-channel.git") (branch "master")) The error: "guix pull: error: Git error: failed to start SSH session: Unable to exchange encryption keys" If Guix does not intend to support git over ssh, then I recommend adding something to the Guix documentation about this. Even if support is intended long term, it would help to mention which protocols are currently supported / working versus which are experimental. If Guix does intend to support git over ssh, then I suspect the fix will require some subset of: * Updating the libssh2 Guix package * Switching the Guix libgit2 package from libssh2 to OpenSSH * Switching the Guix libssh2 package away from libgcrypt to libopenssl * Updates to libssh2 upstream so that it supports ed25119 when configured with libgcrypt. (Might also apply to other host key methods as well. From one libssh2 Github issue I read, this may require changes to libgcrypt as well - I'm not sure.) Additional info: * Full disclosure: my knowledge of libgit2 and libssh2 was zero before starting to debugging this issue a couple days ago. I could be missing some things. * I am running Guix on a Debian foreign distro, installed via the Debian apt package manager. Debian stable "bookworm" version 12.8. * "my-git-server.local" is another Debian stable on my LAN with a git user serving git repositories over SSH. This was in place and working prior to my starting with Guix. It is the default sshd install, with the only change being to disable password authentication. No changes to host key or kex algorithms. * My ssh key is an ssh-ed25519. From what I remember, it was created with the default Debian ssh client settings 3 or 4 years ago. Client configuration in ~/.ssh/config for the git server host only specifies git user, ssh key to use, and to add the ssh key to the ssh-agent automatically. No changes to host key or kex algorithms. * It appears to be necessary to add the SSH key for the git server to the ssh agent prior to calling `guix pull`. * The Debian provided guix binary `/usr/bin/guix`, version 1.4.0 (from 2022), is able to use the channel definitions with git over SSH. I have not investigated why this is. * The Guix provided guix binary `$HOME/.config/guix/current/bin/guix` I was testing with is version f3f3cb06b0a852f96a1f76f6168307583e6dfac5 (updated around 2024-12-27). * By default, the Guix provided guix is using libgit2 (version 1.8.4), which uses libssh2 (version 1.10.0), to connect to the git server over SSH. * libgit2 provides a command line interface ("git2") which supports cloning repositories. Installing it (via guix) and calling it gives the same error. So the issue is not with Guix code itself. All of my subsequent testing was via this command line tool: "git2 clone git@my-git-server.local:repos/some-git-repo.git /tmp/some-git-repo". * guix provided (and Debian provided) standard git binaries are able to clone the guix channel without issue. Only libgit2 has the issue. * From the log message + gdb, I see that the error is coming from within libssh2. Specifically, kex_agree_kex_hostkey manages to find a kex algorithm that the client and host agree on, but then fails on the host key agreement. Because libssh2 does not include "ssh-rsa" as one of its allowed host key algorithms: "Breakpoint 2, kex_agree_instr (haystack=0x593adf "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519", haystack_len=57, needle=0x56f5b0 "ssh-rsa", needle_len=7) at kex.c:3296" * The libssh2 project has released versions 1.11.0 and 1.11.1. Using guix package transformation option `--with-source` (plus --without-tests and some options to enable debugging) when installing libssh2, I tried both. They gave the same error message. ** FYI: libssh2 1.11.0 and 1.11.1 fail packing to build due to some tests. Hence --without-tests. * For further investigation, I grabbed libssh2-1.11.1 and libgit2-1.8.4 code and modified them to print libssh2 trace information and additional debug prints that I added. libgit2 uses the known_hosts to determine that the following host keys are preferred: "ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa." It passes this to libssh2's libssh2_session_method_pref, which filters out unsupported methods, leaving only "ssh-rsa." Looking at the filtering code, it uses libssh2's hostkey.c's hostkey_methods array, which is defined at compile time using #ifdefs. I confirmed that the methods for ed25519 are not included. I believe this is because LIBSSH2_ED25519 is #defined to "0" in libssh2's libgcrypt.h. (In libssh2's openssl.h it is #defined based on OPENSSL_VERSION_NUMBER. And it only seems to be #defined to a non-zero value for openssl.) * libgit2 version 1.8.0 introduced the ability to use OpenSSH instead of libssh2, by providing `-DUSE_SSH=exec` during the build. This gave yet another error. I did not pursue this option any further and cannot currently comment on its feasibility. The error: "fatal: bad argument git2: could not read refs from remote repository" * The libgit2 project has released version 1.9.0 in the past day. I have not tried it. * I tried a few of the older versions of libgit2 (the ones packaged in Guix already). I got the same error. * I have not tried using older versions of libssh2. I suspect they will not work as the SSH server probably no longer supports SHA1, and older libssh2 versions (I think) do not support upgrading the SHA. I hope this is helpful. P.s.: Guix's package transformation options were awesome and made debugging and testing this a lot easier than I was expecting. Especially given this was my first serious foray into using more advanced Guix features. Awesome work. Thank you for making GNU Guix. Cheers, Matthew Todd matthew@zerobitcoder.net