Re: authentication failures

[Bob Proulx]

Thien-Thi Nguyen wrote:
> I recently tried to push some commits to the Guile-PG Git repo
> (ttn@git.savannah.nongnu.org:/srv/git/guile-pg.git), but that
> failed with error message:
> 
>  Received disconnect from 2001:470:142:5::201 port 22:2: Too many 
> authentication failures for ttn
>  Disconnected from 2001:470:142:5::201 port 22
>  fatal: Could not read from remote repository.
>  
>  Please make sure you have the correct access rights
>  and the repository exists.
> 
> How can i remedy this situation?

Did you just recently upgrade your system and that included the latest
OpenSSH 8.8?  If so then I think you have hit the SHA1 hash
obsolescence problem.

    https://savannah.gnu.org/maintenance/SshAccess/

I recommend using procedure number 2 listed there as that is the
superior solution.  But it requires a little more effort and so I
didn't make it the first option.  The first option is the least effort
workaround to the problem.

I will include the relevant part below so this message is
self-contained.  And as an update on the new system status I have been
working on it but there is a long list of things needed to be
completely finished before it can be swapped into place without
breaking other parts of the system.  It's a large all-or-nothing
problem.  I am confident the task will be completed before the end of
this month.  https://savannah.gnu.org/maintenance/SavannahHosts/

Bob

https://savannah.gnu.org/maintenance/SshAccess/

OpenSSH 8.8 SHA-1 Deprecation October 2021
------------------------------------------

OpenSSH 8.8 was released on September 26, 2021 and subsequently has
been upgraded to by users of Savannah that are also following the
bleeding edge of development of OpenSSH.  Most users of Stable OS
software distributions will not yet have that new version and will not
yet be affected.  In release 8.8 OpenSSH deprecated all use of the
SHA-1 hash algorithm.  This affects users who are connecting to the
vcs0 node hosting git, svn, hg repositories using ssh-rsa keys.  (The
cvs repositories are not affected.)  The root cause being that the
OpenSSH server on vcs0 is older and still primarily using the SHA-1
hash algorithm by default for host keys.  Upgrading the services is a
high priority but there are various entanglements which makes doing
this immediately and quickly rather hard.  It will take some time.
Please be patient.

There two solutions that have been reported to work.  (I have been
unable to test this myself as my newest OpenSSH is version 8.4, before
the SHA-1 deprecation.  But these are the success reports.)

1. The first workaround comes from the OpenSSH 8.8 release
   notes. Provide a special client configuration on your system to
   enable ssh-rsa keys on your client for git for Savannah.  The
   following stanza in your `~/.ssh/config` file will enable RSA/SHA1
   for host and user authentication for a single destination host.
   The names (`git.savannah.gnu.org` and the others) listed must match
   the name you are using to connect exactly.  When matching this name
   then ssh will apply the options specified.


        Host git.savannah.gnu.org git.sv.gnu.org git.savannah.nongnu.org 
git.sv.nongnu.org
            HostkeyAlgorithms +ssh-rsa
            PubkeyAcceptedAlgorithms +ssh-rsa

2. The second workaround is to upgrade your ssh user key access to
   ED25519 keys.  ED25519 keys were introduced in OpenSSH 6.5 and offers
   better security with faster performance using a more compact key.  It
   seems using the ED25519 user key also enables using the ED25519 host
   key at the same time.  Which is perfect!  That's an excellent upgrade
   for both security and performance.

        ssh-keygen -t ed25519

   This creates a user key of type ed25519 and will place the files by
   default in `~/.ssh/id_ed25519.pub` et al.  Load this key into your
   `ssh-agent`.

        ssh-add

   Register this new public key in your "My Account Configuration:
   Change Authorized Keys" page
   <https://savannah.gnu.org/my/admin/editsshkeys.php>.

For reference here are the release notes for OpenSSH 8.8.  And
additionally a bug ticket where we have been tracking information
about this problem.

* <https://www.openssh.com/txt/release-8.8>
* <https://savannah.nongnu.org/support/?110545>

signature.asc
Description: PGP signature