Can't clone a git repo over anonymous SSH

  • Open
  • quality assurance status badge
Details
2 participants
  • Edouard Klein
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Edouard Klein
Severity
normal
E
E
Edouard Klein wrote on 15 Jul 2023 15:25
(name . bug-guix)(address . bug-guix@gnu.org)
87zg3xpaje.fsf@rdklein.fr
Hi all !

I'm trying to write a package for a repo that's accessible through an
anonymous SSH access.

The repo can be cloned with:
git clone git@the-dam.org:permaudit
without any issues.

However, when I use the package definition below, I get the following
error:
guix build: error: Git failure while fetching ssh://git@the-dam.org/permaudit: failed to start SSH session: Unable to exchange encryption keys

Some googling leads me to believe this is a mismatch between the
client's accepted ciphers and the server's accepted ciphers, but both
machines are up-to-date guix systems, so I'm not sure it's that.

I don't want to install an HTTP bridge, git is fine via SSH.

If anybody has any idea, I'm all hears.

Thanks !

Edouard.




(define-public permaudit
(let ((revision "0")
(commit "1cd9fe303076d7656469dbfc455d63aff70d62ed"))
(package
(name "permaudit")
(version (git-version "20230714" revision commit))
(source
(git-checkout
(url "ssh://git@the-dam.org/permaudit")
(commit commit)))
(build-system gnu-build-system)
(arguments
`(#:tests? #f ; no tests
#:phases
(modify-phases %standard-phases
(replace 'configure ; no configure script but taking this
; opportunity to replace the hard
; coded path to permaudit.sh
(lambda* (#:key inputs outputs #:allow-other-keys)
(let* ((out (assoc-ref outputs "out"))
(bin (string-append out "/bin"))
(bash (assoc-ref inputs "bash-minimal")))
(substitute* "permaudit_wrapper.c"
(("/usr/bin/permaudit.sh")
(string-append bin "/permaudit.sh"))
(("/bin/bash")
(string-append bash "/bin/bash")))
(substitute* "permaudit.sh"
(("/bin/bash")
(string-append bash "/bin/bash"))
(("find")
(string-append find "/bin/find"))))))
(replace 'install ; no install target
(lambda* (#:key outputs #:allow-other-keys)
(let* ((out (assoc-ref outputs "out"))
(bin (string-append out "/bin")))
;; Those chmod won't be respected in the store anyway
;; (the store is read-only, and you can't setuid a binary in it)
;; but this is the spirit of upstream's makefile target "install"
(chmod "permaudit.sh" #o644)
(install-file "permaudit.sh" bin)
(chmod "permaudit" #o4754)
(install-file "permaudit" bin)))))))
(inputs
(list bash-minimal coreutils))
(synopsis "Permission audit tool")
(description
"Permaudit lets you see who can read or write on the specified directory.")
(license license:agpl3+))))
M
M
Maxim Cournoyer wrote on 20 Jul 2023 15:17
(name . Edouard Klein)(address . edou@rdklein.fr)(address . 64648@debbugs.gnu.org)
874jlyn2n3.fsf@gmail.com
Hi,

Edouard Klein <edou@rdklein.fr> writes:

Toggle quote (21 lines)
> Hi all !
>
> I'm trying to write a package for a repo that's accessible through an
> anonymous SSH access.
>
> The repo can be cloned with:
> git clone git@the-dam.org:permaudit
> without any issues.
>
> However, when I use the package definition below, I get the following
> error:
> guix build: error: Git failure while fetching ssh://git@the-dam.org/permaudit: failed to start SSH session: Unable to exchange encryption keys
>
> Some googling leads me to believe this is a mismatch between the
> client's accepted ciphers and the server's accepted ciphers, but both
> machines are up-to-date guix systems, so I'm not sure it's that.
>
> I don't want to install an HTTP bridge, git is fine via SSH.
>
> If anybody has any idea, I'm all hears.

Don't they also offer a HTTP(S) access? I think libssh as used by
libgit2 expects an SSH agent running... I remember wresting with it in a
CI context.

--
Thanks,
Maxim
E
E
Edouard Klein wrote on 31 Jul 2023 11:18
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 64648@debbugs.gnu.org)
87tttkzbb5.fsf@rdklein.fr
Hi !

Toggle quote (5 lines)
>
> Don't they also offer a HTTP(S) access? I think libssh as used by
> libgit2 expects an SSH agent running... I remember wresting with it in a
> CI context.

Well, "they" is me :) I finally opened up anonymous access via git://
but I'm not extatic about it, it's one more daemon that can be pwnd.


The dedicated service did not work so I rolled my own as a
sheperd-root-service. I did not have the time to look into the issue.

So the problem remains, but is less urgent because it has been worked
around for now. Fixing this upstream seems like a hard battle.
M
M
Maxim Cournoyer wrote on 1 Aug 2023 16:15
(name . Edouard Klein)(address . edou@rdklein.fr)(address . 64648@debbugs.gnu.org)
87jzuesvbn.fsf@gmail.com
Hello,

Edouard Klein <edou@rdklein.fr> writes:

Toggle quote (18 lines)
> Hi !
>
>>
>> Don't they also offer a HTTP(S) access? I think libssh as used by
>> libgit2 expects an SSH agent running... I remember wresting with it in a
>> CI context.
>
> Well, "they" is me :) I finally opened up anonymous access via git://
> but I'm not extatic about it, it's one more daemon that can be pwnd.
>
> https://gitlab.com/edouardklein/guix/-/commit/40e320d14b4c583214cdbd45fb47453c5ebb762a
>
> The dedicated service did not work so I rolled my own as a
> sheperd-root-service. I did not have the time to look into the issue.
>
> So the problem remains, but is less urgent because it has been worked
> around for now. Fixing this upstream seems like a hard battle.

OK; I think the best course of action here would be to come up with a
minimal reproducer written in C using all the API available of libgit2
or libssh2 (which is used by libgit2) and report any issue to their
issue tracker and/or work toward a fix.

It'd be interesting to see how libssh compares, and perhaps attempting
to revive this pull request which adds 'libssh' as a backend to libgit2
here [0]


--
Thanks,
Maxim
?