Bug 1294690

Summary: git ssh issues with ssh-dss
Product: [Retired] JBoss BRMS Platform 6 Reporter: Alessandro Lazarotti <alazarot>
Component: Business CentralAssignee: Alexandre Porcelli <porcelli>
Status: CLOSED EOL QA Contact: Jiri Locker <jlocker>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2.0CC: sfu
Target Milestone: DR1   
Target Release: 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-27 20:01:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Alessandro Lazarotti 2015-12-29 17:29:45 UTC 
Description of problem:
Some systems are not longer using ssh-dss by default, which results in some issues like:

Client side:
"[lazarotti@mackoy-note git-test]$ git clone ssh://lazarotti@localhost:8001/gss-repo
Cloning into 'gss-repo'...
Unable to negotiate with 127.0.0.1: no matching host key type found. Their offer: ssh-dss
fatal: Could not read from remote repository."

Server side:
14:58:31,856 WARN  [org.apache.sshd.server.session.ServerSession] (sshd-SshServer[847507d]-nio2-thread-2) Exception caught: java.lang.IllegalStateException: Unable to negotiate key exchange for server host key algorithms (client: ecdsa-sha2-nistp256-cert-v01,ecdsa-sha2-nistp384-cert-v01,ecdsa-sha2-nistp521-cert-v01,ssh-ed25519-cert-v01,ssh-rsa-cert-v01,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa / server: ssh-dss)
	at org.apache.sshd.common.session.AbstractSession.negotiate(AbstractSession.java:1109) [sshd-core-0.12.0.jar:0.12.0]
	at org.apache.sshd.common.session.AbstractSession.doHandleMessage(AbstractSession.java:357) [sshd-core-0.12.0.jar:0.12.0]
	at org.apache.sshd.common.session.AbstractSession.handleMessage(AbstractSession.java:295) [sshd-core-0.12.0.jar:0.12.0]




... while trying to clone a git repo from Business Central.
As mentioned by https://issues.jboss.org/browse/ENTESB-4427 as a longer term solution we should start considering moving away from ssh-dss since according to http://www.openssh.com/legacy.html it's considered insecure, thus deprecated:

> OpenSSH 7.0 and greater similarly disables the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.

Version-Release number of selected component (if applicable):
BRMS 6.2.0

How reproducible:
Always

Steps to Reproduce:
1. try to clone a project repository using standard Fedora 23.
I know it is not supported for BRMS 6.2.0, but it is how RHEL will be work soon.


Additional info:
Also from ENTESB-4427:

An immediate workaround is to alter the configuration of ssh client to accept that security configuration:
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PreferredAuthentications=password -oHostKeyAlgorithms=+ssh-dss  -l admin -p 8101 localhost

or:

Host localhost
    VerifyHostKeyDNS no
    StrictHostKeyChecking no
    HostKeyAlgorithms +ssh-dss
    UserKnownHostsFile /dev/null
can be added to ~/.ssh/config for a global configuration.
Comment 2 Alexandre Porcelli 2016-01-06 21:20:05 UTC 
master:
https://github.com/uberfire/uberfire/commit/cec879f64
Comment 3 Alexandre Porcelli 2016-03-02 13:11:42 UTC 
*** Bug 1311731 has been marked as a duplicate of this bug. ***
Comment 4 Jiri Locker 2016-04-05 13:23:41 UTC 
Verified with BRMS 6.3.0.ER2 on Fedora 23.

Reproduced the described problem, applied global configuration via ~/.ssh/config and successfully cloned after that.
Comment 5 Justin Holmes 2016-05-17 01:21:58 UTC 
Team,

What was actually verified here??? I'm testing with 6.3.0 GA and I get still get "no matching host key type found. Their offer: ssh-dss
fatal: Could not read from remote repository."

Alexandre's commit seems to add RSA support, but that does not appear to be in the product.
Comment 7 Alexandre Porcelli 2016-06-13 11:21:40 UTC 
https://issues.jboss.org/browse/RHBRMS-243
Comment 8 Alessandro Lazarotti 2016-06-23 22:18:38 UTC 
Justin, SFU, see please the Jira above. The Bouncy Castle JCE must be installed in applicaiton server to make it work