New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No matching host key type found. Their offer: ssh-rsa #750
Comments
We have seen the same issue and as a workaround switched to https based git repo configs.. |
Thanks for your feedback. I'm agree with you, this workaround works but we want to use SSH 😕 |
We have the same issue pointing to an Azure DevOps git repo with an SSH key. This is pretty bad, are there no tests to validate changes? This is a pretty basic use case. |
Even going to HTTPS using a PAT doesn't work. This is seriously critical. |
Hello, why this issue is reported to 2.6.7. |
Hmm, based on the original error message, it's possible this issue is because the Pulling in a GitRepository is executed by https://github.com/rancher/gitjob, which uses https://github.com/rancher/wrangler to execute the Git command in this operation: https://github.com/rancher/wrangler/blob/bf1502dba94db9cf5259e2894ba42dcbc63e5646/pkg/git/git.go#L71-L73 This, in turn, is just a command that gets run within the container using the prepackaged git: https://github.com/rancher/wrangler/blob/bf1502dba94db9cf5259e2894ba42dcbc63e5646/pkg/git/git.go#L321 As a result, the expected value for the hostname should be
On using the repository URL So from a backend perspective, this doesn't seem to be an issue (unless users can provide some more steps to reproduce?) or this should be opened up as an issue in github.com/rancher/dashboard in order to automatically sanitize the |
@gravufo is it possible that you either:
|
I don't believe any of your suggestions apply. It works with the previous version and doesn't work with the update with the exact same settings and setup. There is clearly an issue. |
Warning, the problem is related to the algorithm used (ssh-rsa) by the server for the ssh host key. So it may not be reproducible with Github. |
Found another issue trying to reproduce this one. |
@gravufo I don't disagree with your reasoning that Fleet shouldn't be broken on an upgrade (assuming Fleet is the root cause and not some other environmental issue on your end...). But there are no steps on this ticket that allow me to reproduce the issue that you are experiencing to be able to ascertain what the fix should be. Can you point me in a direction with some steps on how I can reproduce it? Based on the current ticket description, I do not see the issue that you are describing on the latest Fleet release. |
@dtrouillet based on the issue described in the error, I agree with you that the root cause here seems to be related to the fact that the (Git) server that Fleet is talking to is not accepting the cipher / algorithm that Fleet is reaching out to it with (ssh-rsa). This is why the error states However, wouldn't the choice of algorithm be based on the contents of the SSH public and private keys provided to the Fleet GitRepo? If your Git Server does not accept |
I've been looking into this more and I still can't seem to find any reason why Fleet would have incurred any change that would cause this behavior to occur between versions 0.3.8 to 0.3.9. The only noticeable / relevant changes here appear to be the changes to the underlying libraries executing the Git Repository operation, namely:
The I also did try using a BitBucket based private repository (as described in the ticket), but it appears like the OpenSSH 8.8 bump (which is where ssh-rsa seems to have been dropped, re: https://www.linuxadictos.com/en/openssh-8-8-arrives-saying-goodbye-to-ssh-rsa-support-bug-fixes-and-more.html) may not be affecting public BitBucket instances yet, only maybe BitBucket Cloud (enterprise). Since there's no clear direction of where to proceed with this issue unless we have steps to reproduce the issue and identify what the root cause is, I will move this issue to If we can get steps to reproduce, I'd be happy to take a look once again. |
It's likely that the server didn't support a more advanced signature algorithm, just like the Azure issue in #773 (comment) If I understand correctly, all OpenSSH clients since 7.2 should be able to upgrade the algorithm. While there are different ssh versions in play, they should all be new enough:
We have ssh clients in several images: rancher/gitjob, rancher/tekton-utils @dtrouillet like @aiyengar2 said, it's hard to understand why Rancher 2.6.3 would have worked with such a server. Can you provide more information on that server, the OpenSSH version, any special configuration for the algorithms? I also noticed the imagescan feature uses the go-git module and they have a similar issue go-git/go-git#516 |
It seems, the new fleet version 0.3.10 fix this issue. |
Hi Folks, @dtrouillet please check the ssh version of your Bitbucket Repository if you can. I was having similar Problem with Git Update (latest Version for my client pc was the 2.37.2) which come with a OpenSSH > 8.8. At release notes https://www.openssh.com/txt/release-8.8 i read the "Potentially-incompatible changes" and with some extra config in the config file under .ssh folder with next properties: Take into account this is a workaround. Keys and OpenSSH should be updated in both sides of the SSH Connection. Please read link with similar issue, specially Benchmark at the end: |
Thanks for the update @dtrouillet . Can you confirm that the issue is fixed for you, then I think we can close this issue? |
Hi, I confirm that! Regards |
Hello,
When we proceed to an update of Rancher from 2.6.3 to 2.6.4 (so upgrade fleet to 0.3.9), we faced an issue regarding Fleet.
Everything was fine on 2.6.3 but since we proceeded to the update, we are facing this issue. Here is the message we have of every GitRepo:
Regards
The text was updated successfully, but these errors were encountered: