Bug 577545 - Can't connect to any repository
Summary: Can't connect to any repository
Status: RESOLVED FIXED
Alias: None
Product: EGit
Classification: Technology
Component: Core (show other bugs)
Version: 5.13   Edit
Hardware: PC Windows 10
: P3 minor (vote)
Target Milestone: 6.1   Edit
Assignee: Project Inbox CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-01 00:13 EST by andy goryachev CLA
Modified: 2022-01-06 15:45 EST (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description andy goryachev CLA 2021-12-01 00:13:07 EST
Unable to connect to github.com after updating to 2021-09 eclipse (previous version 2021-03 was working fine).

The error:

Can't connect to any repository: git@github.com:andy-goryachev/MemSafeCrypto.git (git@github.com:andy-goryachev/MemSafeCrypto.git: DefaultAuthFuture[ssh-connection]: Failed (InvalidKeyException) to execute: Supplied key (net.i2p.crypto.eddsa.EdDSAPrivateKey) is not a RSAPrivateKey instance)

An exception stack trace is not available.

eclipse.buildId=4.21.0.I20210906-0500
java.version=15.0.1
java.vendor=Azul Systems, Inc.
BootLoader constants: OS=win32, ARCH=x86_64, WS=win32, NL=en_US
Framework arguments:  -product org.eclipse.epp.package.java.product
Command-line arguments:  -data file:/C:/System/eclipse.workspaces/workspace/ -os win32 -ws win32 -arch x86_64 -product org.eclipse.epp.package.java.product



tried with both Apache Mina and built-in HTTP client.

The key is EdDSA per github's recommentation (and it used to work with an earlier release).

Please, please help!

Thank you in advance.
-andy
Comment 1 Thomas Wolf CLA 2021-12-01 03:23:51 EST
Sounds like some serious misconfiguration somewhere.

Why do you mention the HTTP client when the problem is about an SSH connection?

Is there anything more in the Eclipse log?
Comment 2 andy goryachev CLA 2021-12-01 10:09:30 EST
A good point about HTTP, it is not related.

There is no more information in the log (hence the words "An exception stack trace is not available.")

This is a straightforward upgrade from 2021-03 to 2021-09.  I can't even think of where to look because Network -> SSH has no relevant settings.  As if the standard provider used by Eclipse does not support elliptical keys anymore and requests RSA.
Comment 3 andy goryachev CLA 2021-12-01 11:40:13 EST
... and now I cannot revert the configuration.  this is just great.  the second law of thermodynamics in action.
Comment 4 Thomas Wolf CLA 2021-12-01 11:57:05 EST
Sorry, can't help you with this. It's totally unclear where this message comes from; it's not from JGit or from Apache MINA sshd. As far as I can determine by searching the Web, it comes from the SecurityProvider, and probably indicates that the code tries to compute an RSA-type signature but using an ed25519 key.

I have no idea what might lead to this.

As I'm about to go on vacation, I also have no time to look into this in more detail for now. I'll look again in January if it then is still a problem.
Comment 5 andy goryachev CLA 2021-12-01 12:30:39 EST
Thank you, Thomas.
Comment 6 andy goryachev CLA 2021-12-01 16:50:56 EST
OK, so I was able to fix it by moving github key to the leading position in 

Preferences -> General -> Network Connections -> SSH2 -> Private Keys.

I don't quite know what the logic is for selecting the right key for a given host, but perhaps it can be improved.  Downgrading the severity but keeping the bug open because I think it is still a bug.
Comment 7 Thomas Wolf CLA 2021-12-01 17:59:56 EST
(In reply to andy goryachev from comment #6)
> OK, so I was able to fix it by moving github key to the leading position in 
> 
> Preferences -> General -> Network Connections -> SSH2 -> Private Keys.
> 
> I don't quite know what the logic is for selecting the right key for a given
> host, but perhaps it can be improved.  Downgrading the severity but keeping
> the bug open because I think it is still a bug.

Yes, that's a bug in Apache MINA sshd. Thanks for this information, that gave me a clue as to how to reproduce this.

Don't know why there's no stack trace; in an Apache MINA sshd unit test I get

Exception in thread "main" org.apache.sshd.common.SshException: DefaultAuthFuture[ssh-connection]: Failed (InvalidKeyException) to execute: Supplied key (net.i2p.crypto.eddsa.EdDSAPrivateKey) is not a RSAPrivateKey instance
	at org.apache.sshd.common.future.AbstractSshFuture.lambda$verifyResult$1(AbstractSshFuture.java:131)
	at org.apache.sshd.common.future.AbstractSshFuture.formatExceptionMessage(AbstractSshFuture.java:185)
	at org.apache.sshd.common.future.AbstractSshFuture.verifyResult(AbstractSshFuture.java:130)
	at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:39)
	at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:32)
	at org.apache.sshd.common.future.VerifiableFuture.verify(VerifiableFuture.java:43)
	at ch.paranor.thomas.TestClient.testAuth(TestClient.java:44)
	at ch.paranor.thomas.TestClient.main(TestClient.java:58)
Caused by: java.security.InvalidKeyException: Supplied key (net.i2p.crypto.eddsa.EdDSAPrivateKey) is not a RSAPrivateKey instance
	at org.bouncycastle.jcajce.provider.asymmetric.rsa.DigestSignatureSpi.engineInitSign(Unknown Source)
	at java.security.Signature$Delegate.engineInitSign(Signature.java:1177)
	at java.security.Signature.initSign(Signature.java:530)
	at org.apache.sshd.common.signature.AbstractSignature.initSigner(AbstractSignature.java:104)
	at org.apache.sshd.client.auth.pubkey.KeyPairIdentity.sign(KeyPairIdentity.java:81)
	at org.apache.sshd.client.auth.pubkey.UserAuthPublicKey.appendSignature(UserAuthPublicKey.java:363)
	at org.apache.sshd.client.auth.pubkey.UserAuthPublicKey.processAuthDataRequest(UserAuthPublicKey.java:333)
	at org.apache.sshd.client.auth.AbstractUserAuth.process(AbstractUserAuth.java:73)
	at org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:303)
	at org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:225)
	at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:526)
	at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:452)
	at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1524)
	at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:412)
	at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:64)
	at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:359)
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:336)
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:333)
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
	at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
	at sun.nio.ch.Invoker$2.run(Invoker.java:218)
	at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

Indeed Apache MINA sshd tries to generate an RSA SHA1 signature with an ed25519 key :-( Reproducible if the setup is such that

1. a wrong RSA key is tried with signature rsa-sha2-512; server rejects the
   authentication attempt.
2. the (correct) ed25519 key is tried; but unfortunately with the wrong
   signature type (ssh-rsa).

Work-arounds are:

* Put RSA keys last in the list of keys to be tried.
* Use a ~/.ssh/config file specifying the exact key to use, for instance

   Host github github.com
   Hostname github.com
   User git
   IdentityFile ~/.ssh/id_ed25519.github
   IdentitiesOnly yes

The fix in Apache MINA sshd would be a one-liner, but a unit test for this is more than I can do in the time before my vacation.
Comment 8 andy goryachev CLA 2021-12-01 18:05:20 EST
Thank you so much, Thomas!

I am not sure why it showed no exception before - I do see it in the log now (and I don't see the old events for some reason).

I am still impressed by your prompt response!  Have a great vacation.

Cheers,
-a
Comment 9 Thomas Wolf CLA 2021-12-01 18:16:11 EST
Reported upstream at [1]. The one-line fix (without unit test) is [2].

[1] https://issues.apache.org/jira/browse/SSHD-1231
[2] https://github.com/apache/mina-sshd/pull/211
Comment 10 Eclipse Genie CLA 2022-01-06 13:37:05 EST
New Gerrit change created: https://git.eclipse.org/r/c/jgit/jgit/+/189355
Comment 12 andy goryachev CLA 2022-01-06 14:24:46 EST
+1
thank you, Thomas!
Comment 13 Thomas Wolf CLA 2022-01-06 15:23:25 EST
Thanks. Should be fixed in EGit nightly now.