Can't clone a git repo over anonymous SSH

Open

Details

2 participants

Edouard Klein
Maxim Cournoyer

Owner: unassigned

Submitted by: Edouard Klein

Severity: normal

Edouard Klein wrote on 15 Jul 2023 15:25

Recipients:(name . bug-guix)(address . bug-guix@gnu.org)

Message-ID:87zg3xpaje.fsf@rdklein.fr

Hi all !

I'm trying to write a package for a repo that's accessible through an
anonymous SSH access.

The repo can be cloned with:
git clone git@the-dam.org:permaudit
without any issues.

However, when I use the package definition below, I get the following
error:
guix build: error: Git failure while fetching ssh://git@the-dam.org/permaudit: failed to start SSH session: Unable to exchange encryption keys

Some googling leads me to believe this is a mismatch between the
client's accepted ciphers and the server's accepted ciphers, but both
machines are up-to-date guix systems, so I'm not sure it's that.

I don't want to install an HTTP bridge, git is fine via SSH.

If anybody has any idea, I'm all hears.

Thanks !

Edouard.




(define-public permaudit
  (let ((revision "0")
        (commit "1cd9fe303076d7656469dbfc455d63aff70d62ed"))
    (package
      (name "permaudit")
      (version (git-version "20230714" revision commit))
      (source
       (git-checkout
        (url "ssh://git@the-dam.org/permaudit")
        (commit commit)))
      (build-system gnu-build-system)
      (arguments
       `(#:tests? #f                    ; no tests
         #:phases
         (modify-phases %standard-phases
           (replace 'configure          ; no configure script but taking this
                                        ; opportunity to replace the hard
                                        ; coded path to permaudit.sh
             (lambda* (#:key inputs outputs #:allow-other-keys)
               (let* ((out (assoc-ref outputs "out"))
                      (bin (string-append out "/bin"))
                      (bash (assoc-ref inputs "bash-minimal")))
                 (substitute* "permaudit_wrapper.c"
                   (("/usr/bin/permaudit.sh")
                    (string-append bin "/permaudit.sh"))
                   (("/bin/bash")
                    (string-append bash "/bin/bash")))
                 (substitute* "permaudit.sh"
                   (("/bin/bash")
                    (string-append bash "/bin/bash"))
                   (("find")
                    (string-append find "/bin/find"))))))
           (replace 'install            ; no install target
             (lambda* (#:key outputs #:allow-other-keys)
               (let* ((out (assoc-ref outputs "out"))
                      (bin (string-append out "/bin")))
                 ;; Those chmod won't be respected in the store anyway
                 ;; (the store is read-only, and you can't setuid a binary in it)
                 ;; but this is the spirit of upstream's makefile target "install"
                 (chmod "permaudit.sh" #o644)
                 (install-file "permaudit.sh" bin)
                 (chmod "permaudit" #o4754)
                 (install-file "permaudit" bin)))))))
      (inputs
       (list bash-minimal coreutils))
      (synopsis "Permission audit tool")
      (home-page "https://the-dam.org/docs/explanations/permaudit.html")
      (description
       "Permaudit lets you see who can read or write on the specified directory.")
      (license license:agpl3+))))

Maxim Cournoyer wrote on 20 Jul 2023 15:17

Recipients:(name . Edouard Klein)(address . edou@rdklein.fr)(address . 64648@debbugs.gnu.org)

Message-ID:874jlyn2n3.fsf@gmail.com

Hi,

Edouard Klein <edou@rdklein.fr> writes:

Toggle quote (21 lines)> Hi all !
>
> I'm trying to write a package for a repo that's accessible through an
> anonymous SSH access.
>
> The repo can be cloned with:
> git clone git@the-dam.org:permaudit
> without any issues.
>
> However, when I use the package definition below, I get the following
> error:
> guix build: error: Git failure while fetching ssh://git@the-dam.org/permaudit: failed to start SSH session: Unable to exchange encryption keys
>
> Some googling leads me to believe this is a mismatch between the
> client's accepted ciphers and the server's accepted ciphers, but both
> machines are up-to-date guix systems, so I'm not sure it's that.
>
> I don't want to install an HTTP bridge, git is fine via SSH.
>
> If anybody has any idea, I'm all hears.

Don't they also offer a HTTP(S) access?  I think libssh as used by
libgit2 expects an SSH agent running... I remember wresting with it in a
CI context.

-- 
Thanks,
Maxim

Edouard Klein wrote on 31 Jul 2023 11:18

Recipients:(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 64648@debbugs.gnu.org)

Message-ID:87tttkzbb5.fsf@rdklein.fr

Hi !

Toggle quote (5 lines)

> Don't they also offer a HTTP(S) access? I think libssh as used by

> libgit2 expects an SSH agent running... I remember wresting with it in a

> CI context.

Well, "they" is me :) I finally opened up anonymous access via git://

but I'm not extatic about it, it's one more daemon that can be pwnd.

https://gitlab.com/edouardklein/guix/-/commit/40e320d14b4c583214cdbd45fb47453c5ebb762a

The dedicated service did not work so I rolled my own as a

sheperd-root-service. I did not have the time to look into the issue.

So the problem remains, but is less urgent because it has been worked

around for now. Fixing this upstream seems like a hard battle.

Maxim Cournoyer wrote on 1 Aug 2023 16:15

Recipients:(name . Edouard Klein)(address . edou@rdklein.fr)(address . 64648@debbugs.gnu.org)

Message-ID:87jzuesvbn.fsf@gmail.com

Hello,

Edouard Klein <edou@rdklein.fr> writes:

Toggle quote (18 lines)> Hi !
>
>>
>> Don't they also offer a HTTP(S) access?  I think libssh as used by
>> libgit2 expects an SSH agent running... I remember wresting with it in a
>> CI context.
>
> Well, "they" is me :) I finally opened up anonymous access via git://
> but I'm not extatic about it, it's one more daemon that can be pwnd.
>
> https://gitlab.com/edouardklein/guix/-/commit/40e320d14b4c583214cdbd45fb47453c5ebb762a
>
> The dedicated service did not work so I rolled my own as a
> sheperd-root-service. I did not have the time to look into the issue.
>
> So the problem remains, but is less urgent because it has been worked
> around for now. Fixing this upstream seems like a hard battle.

OK; I think the best course of action here would be to come up with a

minimal reproducer written in C using all the API available of libgit2

or libssh2 (which is used by libgit2) and report any issue to their

issue tracker and/or work toward a fix.

It'd be interesting to see how libssh compares, and perhaps attempting

to revive this pull request which adds 'libssh' as a backend to libgit2

here [0]

[0] https://github.com/libgit2/libgit2/pull/5253

Thanks,

Maxim

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 64648@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 64648

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date