Bug 571390 - SSH: provide better diagnostics when authentication fails
Summary: SSH: provide better diagnostics when authentication fails
Status: RESOLVED FIXED
Alias: None
Product: JGit
Classification: Technology
Component: JGit (show other bugs)
Version: 5.10   Edit
Hardware: PC Mac OS X
: P3 enhancement (vote)
Target Milestone: 6.2   Edit
Assignee: Thomas Wolf CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-21 10:33 EST by Carsten Hammer CLA
Modified: 2022-05-01 03:35 EDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Hammer CLA 2021-02-21 10:33:35 EST 
I guess I make a mistake but for the case you think user mistake handling could be better I open this issue.

I use a fresh oomph setup based eclipse installation:

Eclipse IDE for Eclipse Committers (includes Incubating components)

Version: 2021-03 M2 (4.19.0 M2)
Build id: 20210204-1728

Java is oracle java 15

java.runtime.name=OpenJDK Runtime Environment
java.runtime.version=15.0.2+7-27
java.specification.name=Java Platform API Specification
java.specification.vendor=Oracle Corporation
java.specification.version=15


First I thought that I have an issue because I did not create a ras/dsa key pair.
But after doing that it is still the same. I get an error 

!ENTRY org.eclipse.egit.core 4 0 2021-02-21 15:45:56.823
!MESSAGE An exception occurred during push on URI ssh://chammer0iw@git.eclipse.org:29418/platform/eclipse.platform.swt.git: ssh://chammer0iw@git.eclipse.org:29418/platform/eclipse.platform.swt.git: Cannot log in at git.eclipse.org:29418
!STACK 0
org.eclipse.jgit.api.errors.TransportException: ssh://chammer0iw@git.eclipse.org:29418/platform/eclipse.platform.swt.git: Cannot log in at git.eclipse.org:29418
	at org.eclipse.jgit.api.PushCommand.call(PushCommand.java:147)
	at org.eclipse.egit.core.op.PushOperation.run(PushOperation.java:217)
	at org.eclipse.egit.ui.internal.push.PushJob.performJob(PushJob.java:86)
	at org.eclipse.egit.ui.internal.jobs.RepositoryJob.run(RepositoryJob.java:59)
	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
Caused by: org.eclipse.jgit.errors.TransportException: ssh://chammer0iw@git.eclipse.org:29418/platform/eclipse.platform.swt.git: Cannot log in at git.eclipse.org:29418
	at org.eclipse.jgit.transport.sshd.SshdSession.connect(SshdSession.java:173)
	at org.eclipse.jgit.transport.sshd.SshdSession.connect(SshdSession.java:98)
	at org.eclipse.jgit.transport.sshd.SshdSessionFactory.getSession(SshdSessionFactory.java:231)
	at org.eclipse.jgit.transport.sshd.SshdSessionFactory.getSession(SshdSessionFactory.java:1)
	at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:107)
	at org.eclipse.jgit.transport.TransportGitSsh$SshPushConnection.<init>(TransportGitSsh.java:358)
	at org.eclipse.jgit.transport.TransportGitSsh.openPush(TransportGitSsh.java:159)
	at org.eclipse.jgit.transport.PushProcess.execute(PushProcess.java:127)
	at org.eclipse.jgit.transport.Transport.push(Transport.java:1341)
	at org.eclipse.jgit.api.PushCommand.call(PushCommand.java:137)
	... 4 more
Caused by: org.apache.sshd.common.SshException: No more authentication methods available
	at org.apache.sshd.client.session.ClientUserAuthService.tryNext(ClientUserAuthService.java:333)
	at org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:266)
	at org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:212)
	at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:466)
	at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:392)
	at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1304)
	at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:348)
	at org.eclipse.jgit.internal.transport.sshd.JGitClientSession.messageReceived(JGitClientSession.java:330)
	at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:63)
	at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:368)
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:346)
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:343)
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:312)
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
	at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:127)
	at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219)
	at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
	at java.base/java.lang.Thread.run(Thread.java:832)

!ENTRY org.eclipse.egit.ui 4 0 2021-02-21 15:45:56.823
!MESSAGE Can't connect to any repository: ssh://chammer0iw@git.eclipse.org:29418/platform/eclipse.platform.swt.git (ssh://chammer0iw@git.eclipse.org:29418/platform/eclipse.platform.swt.git: Cannot log in at git.eclipse.org:29418)

The known_hosts file starts with:

[git.eclipse.org]:29418 ecdsa-sha2-nistp256 

The ssh-agent page in the eclipse preferences is empty. Does this matter? I thought it falls back to internal implementation. It does not warn about anything missing.

On another windows10 based computer in the same network everything works fine - so it is almost for sure my mistake that it does not work to push to Gerrit on my macbook.
Comment 1 Thomas Wolf CLA 2021-02-21 15:54:37 EST 
Well, at least you get a message saying "Cannot log in", which is already an improvement over earlier JGit versions, which only gave you the fairly cryptic "No more authentication methods available". :-)

I know that there is still room for improvement, but until and including version 2.6.0, Apache MINA sshd gives us no way to get more details.

If I get your case right:

* You have a new computer
* You installed Eclipse
* You created a new RSA keypair

Did you also install the public key of that new keypair on Gerrit? (Add it in the settings of your account: https://git.eclipse.org/r/settings/#SSHKeys .)

ssh-agent is irrelevant; Eclipse has no built-in support for ssh-agent.
Comment 2 Carsten Hammer CLA 2021-02-21 16:10:17 EST 
(In reply to Thomas Wolf from comment #1)
> Well, at least you get a message saying "Cannot log in", which is already an
> improvement over earlier JGit versions, which only gave you the fairly
> cryptic "No more authentication methods available". :-)
> 
> I know that there is still room for improvement, but until and including
> version 2.6.0, Apache MINA sshd gives us no way to get more details.
> 
> If I get your case right:
> 
> * You have a new computer
> * You installed Eclipse
> * You created a new RSA keypair
> 
> Did you also install the public key of that new keypair on Gerrit? (Add it
> in the settings of your account: https://git.eclipse.org/r/settings/#SSHKeys
> .)
> 
> ssh-agent is irrelevant; Eclipse has no built-in support for ssh-agent.

I think thats what I forgot, thanks!
Do you think it makes sense to ask for a more clear error message in this case?
Or maybe the oomph setup should include at least the key generation and a popup to tell the user there is a step missing?
Otherwise we can close, thanks again..
Comment 3 Thomas Wolf CLA 2021-02-21 16:39:46 EST 
We can keep this issue open as a reminder to improve this error message further.
But we can probably not know whether the user just forgot to publish his public key to the server, or whether he used a wrong key for this server.

Apache MINA sshd has post-2.6.0 (and thus too late for JGit 5.11) gotten some mechanism to get more details. I haven't analyzed the changes yet, but I think it should be possible now to produce something like:

  Cannot log in to ...
  Tried publickey authentication with key ~/.ssh/id_rsa; rejected by server
  No more authentication methods available

I'm not sure EGit could reliably detect this case (it gets a fairly generic TransportException, wrapping a fairly generic SshException) so it could present a dialog with hints. Would have to investigate if the exception propagation could be improved somewhat without breaking API...

Perhaps it could also help to have a better description in the EGit user's guide about setting up SSH.
Comment 4 Thomas Wolf CLA 2021-02-23 06:49:01 EST 
Retitled and changed to enhancement. sshd > 2.6.0 should have some mechanism to record what authentication attempts were made with what results. This could be used to provide a better exception message.
Comment 5 Petr Janeček CLA 2021-03-22 17:16:53 EDT 
I found this issue by lookup up the exception I'm getting, it's the same. However, in my case this is an old installation working with an old repo. Eclipse just got updated to 4.19 and suddenly I can't login to our Bitbucket server anymore with an SSH key.
Looking on the SSH2 config page, the .ssh folder location is correct (default), the key is correct, and the server is recognized in the Known Hosts tab. Nothing changed, I simply updated Eclipse and can no longer use EGit. I just checked my Installation History and I was using the MINA ssh support even before.

Is there a way for me to help you debug this problem? Is it possible this is because the server installation is old and does only support old auth mechanisms? Using the CLI `git` command still works well.
Comment 6 Thomas Wolf CLA 2021-03-22 17:18:50 EDT 
(In reply to Petr Janeček from comment #5)
> I found this issue by lookup up the exception I'm getting, it's the same.
> However, in my case this is an old installation working with an old repo.
> Eclipse just got updated to 4.19 and suddenly I can't login to our Bitbucket
> server anymore with an SSH key.
> Looking on the SSH2 config page, the .ssh folder location is correct
> (default), the key is correct, and the server is recognized in the Known
> Hosts tab. Nothing changed, I simply updated Eclipse and can no longer use
> EGit. I just checked my Installation History and I was using the MINA ssh
> support even before.
> 
> Is there a way for me to help you debug this problem? Is it possible this is
> because the server installation is old and does only support old auth
> mechanisms? Using the CLI `git` command still works well.

Your problem with bitbucket is bug 572056. Currently known work-arounds are documented at [1].

[1] https://wiki.eclipse.org/EGit/New_and_Noteworthy/5.11#Known_problems
Comment 7 Petr Janeček CLA 2021-03-22 17:19:24 EDT 
(In reply to Petr Janeček from comment #5)
> I found this issue by lookup up the exception I'm getting, it's the same.
> However, in my case this is an old installation working with an old repo.
> Eclipse just got updated to 4.19 and suddenly I can't login to our Bitbucket
> server anymore with an SSH key.
> Looking on the SSH2 config page, the .ssh folder location is correct
> (default), the key is correct, and the server is recognized in the Known
> Hosts tab. Nothing changed, I simply updated Eclipse and can no longer use
> EGit. I just checked my Installation History and I was using the MINA ssh
> support even before.
> 
> Is there a way for me to help you debug this problem? Is it possible this is
> because the server installation is old and does only support old auth
> mechanisms? Using the CLI `git` command still works well.

Oh. Terribly sorry, nevermind. I just found https://bugs.eclipse.org/bugs/show_bug.cgi?id=572056 which is exactly my problem. Thanks!
Comment 8 Eclipse Genie CLA 2022-04-01 15:21:10 EDT 
New Gerrit change created: https://git.eclipse.org/r/c/jgit/jgit/+/192433