Bug 579487 - Fetch from gerrit fails with SshException: No more authentication methods available
Summary: Fetch from gerrit fails with SshException: No more authentication methods ava...
Status: CLOSED NOT_ECLIPSE
Alias: None
Product: EGit
Classification: Technology
Component: Core (show other bugs)
Version: 6.2   Edit
Hardware: PC Linux
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Project Inbox CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-29 15:39 EDT by Stephan Herrmann CLA
Modified: 2022-03-31 18:30 EDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Herrmann CLA 2022-03-29 15:39:04 EDT 
In a workspace that has been in use for years, a few days ago I started getting this exception:

org.eclipse.jgit.api.errors.TransportException: ssh://sherrmann@git.eclipse.org:29418/jdt/eclipse.jdt.core.git: Cannot log in at git.eclipse.org:29418
	at org.eclipse.jgit.api.LsRemoteCommand.execute(LsRemoteCommand.java:189)
	at org.eclipse.jgit.api.LsRemoteCommand.call(LsRemoteCommand.java:128)
	at org.eclipse.egit.core.op.ListRemoteOperation.run(ListRemoteOperation.java:116)
	at org.eclipse.egit.ui.internal.components.AsynchronousListOperation.run(AsynchronousListOperation.java:76)
	at org.eclipse.egit.ui.internal.dialogs.CancelableFuture$1.run(CancelableFuture.java:280)
	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
Caused by: org.eclipse.jgit.errors.TransportException: ssh://sherrmann@git.eclipse.org:29418/jdt/eclipse.jdt.core.git: Cannot log in at git.eclipse.org:29418
	at org.eclipse.jgit.transport.sshd.SshdSession.connect(SshdSession.java:178)
	at org.eclipse.jgit.transport.sshd.SshdSession.connect(SshdSession.java:99)
	at org.eclipse.jgit.transport.sshd.SshdSessionFactory.getSession(SshdSessionFactory.java:251)
	at org.eclipse.jgit.transport.sshd.SshdSessionFactory.getSession(SshdSessionFactory.java:1)
	at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:107)
	at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:281)
	at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:153)
	at org.eclipse.jgit.api.LsRemoteCommand.execute(LsRemoteCommand.java:167)
	... 5 more
Caused by: org.apache.sshd.common.SshException: No more authentication methods available
	at org.apache.sshd.common.future.AbstractSshFuture.verifyResult(AbstractSshFuture.java:126)
	at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:39)
	at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:32)
	at org.apache.sshd.common.future.VerifiableFuture.verify(VerifiableFuture.java:68)
	at org.eclipse.jgit.transport.sshd.SshdSession.connect(SshdSession.java:168)
	... 12 more
Caused by: org.apache.sshd.common.SshException: No more authentication methods available
	at org.apache.sshd.client.session.ClientUserAuthService.tryNext(ClientUserAuthService.java:353)
	at org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:288)
	at org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:225)
	at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:526)
	at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:452)
	at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1524)
	at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:412)
	at org.eclipse.jgit.internal.transport.sshd.JGitClientSession.messageReceived(JGitClientSession.java:197)
	at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:64)
	at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:359)
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:336)
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:333)
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:312)
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
	at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:127)
	at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219)
	at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:830)


This is the same exception when trying to fetch from a repo that has migrated to github, whereas jdt.core has not migrated yet.

On a different machine the same coordinates still succeed to fetch.

I got it with EGit 5.13, then updated to 6.2 which did not improve things.


Even if I did smth wrong, saying "No more authentication methods available" is not very helpful.

I noticed that EGit added a preference option regarding ssh agents. When I tried to disable this I got:

java.lang.NullPointerException
	at org.eclipse.egit.ui.internal.preferences.GitPreferenceRoot.lambda$0(GitPreferenceRoot.java:418)
	at org.eclipse.jface.preference.FieldEditor.fireValueChanged(FieldEditor.java:350)
	at org.eclipse.jface.preference.FieldEditor.fireStateChanged(FieldEditor.java:333)
	at org.eclipse.jface.preference.BooleanFieldEditor.valueChanged(BooleanFieldEditor.java:243)
	at org.eclipse.jface.preference.BooleanFieldEditor.lambda$0(BooleanFieldEditor.java:195)
	at org.eclipse.swt.events.SelectionListener$1.widgetSelected(SelectionListener.java:84)
	at org.eclipse.swt.widgets.TypedListener.handleEvent(TypedListener.java:252)
Comment 1 Eclipse Genie CLA 2022-03-30 01:30:26 EDT 
New Gerrit change created: https://git.eclipse.org/r/c/egit/egit/+/192345
Comment 2 Thomas Wolf CLA 2022-03-30 01:49:17 EDT 
(In reply to Stephan Herrmann from comment #0)
> java.lang.NullPointerException
> 	at
> org.eclipse.egit.ui.internal.preferences.GitPreferenceRoot.
> lambda$0(GitPreferenceRoot.java:418)

Is fixed by:

(In reply to Eclipse Genie from comment #1)
> New Gerrit change created: https://git.eclipse.org/r/c/egit/egit/+/192345

Sorry for this truly stupid oversight.

Instead of using this UI option, add "IdentityAgent none" to the SSH host entry for git.eclipse.org in ~/.ssh/config:

  Host git.eclipse.org
  Hostname git.eclipse.org
  User sherrmann
  Port 29418
  IdentityFile ~/.ssh/<your key>
  IdentityAgent none

With 6.2 this should work.

If this works, but fails when you remove the "IdentityAgent none" line, then most probably your agent offers a different key, and Gerrit's SSH daemon has some limit on authentication attempts, which gets hit before the correct key is tried. (Agent keys take precedence in SSH...) If so, try removing "IdentityAgent none" and adding "IdentitiesOnly yes" instead.
Comment 3 Thomas Wolf CLA 2022-03-30 01:55:04 EDT 
(In reply to Stephan Herrmann from comment #0)
> Caused by: org.apache.sshd.common.SshException: No more authentication
> methods available
> 	at
> org.apache.sshd.client.session.ClientUserAuthService.
> tryNext(ClientUserAuthService.java:353)
[...]
> Even if I did smth wrong, saying "No more authentication methods available"
> is not very helpful.

Tell that to Apache MINA sshd :-) I fully agree.

Unfortunately it's the default that org.apache.sshd gives us. I _think_ recent versions have some support for a kind of listeners to log which authentications are attempted, but IIRC it's rather arcane and needs different listeners for different authentication methods. Maybe JGit could try to use that to at least give some indication which auth methods and which keys were tried at all.
Comment 5 Stephan Herrmann CLA 2022-03-31 12:31:35 EDT 
Thanks Thomas.

Edits in .ssh/config didn't cut it, but alerted by your mentioning of identity files I found one identity for which I had not uploaded the public key to gerrit.

I could guess that previously the secondary ssh-dss identity was used on this machine. Was support for ssh-dss / id_dsa dropped "recently" somewhere in the stack?
Comment 6 Thomas Wolf CLA 2022-03-31 12:51:37 EDT 
(In reply to Stephan Herrmann from comment #5)
> Thanks Thomas.
> 
> Edits in .ssh/config didn't cut it, but alerted by your mentioning of
> identity files I found one identity for which I had not uploaded the public
> key to gerrit.
> 
> I could guess that previously the secondary ssh-dss identity was used on
> this machine. Was support for ssh-dss / id_dsa dropped "recently" somewhere
> in the stack?

So it wasn't the agent.

Yes, DSA support is disabled in newer Gerrit versions by default. EF did update Gerrit recently, and probably didn't enable it in the Gerrit config.

DSA is still enabled in JGit.
Comment 7 Thomas Wolf CLA 2022-03-31 18:08:05 EDT 
I'm closing this. Improving the feedback on authentication failures is bug 571390. (Had forgotten about that one. I think I can do that for 6.2.)
Comment 8 Stephan Herrmann CLA 2022-03-31 18:30:21 EDT 
(In reply to Thomas Wolf from comment #7)
> I'm closing this. Improving the feedback on authentication failures is bug
> 571390. (Had forgotten about that one. I think I can do that for 6.2.)

Sounds good. thanks.