GNU bug report logs - #64648
Can't clone a git repo over anonymous SSH

Previous Next

To reply to this bug, email your comments to 64648 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Edouard Klein <edou <at> rdklein.fr>
To: bug-guix <bug-guix <at> gnu.org>
Subject: Can't clone a git repo over anonymous SSH
Date: Sat, 15 Jul 2023 15:25:18 +0200

Hi all !

I'm trying to write a package for a repo that's accessible through an
anonymous SSH access.

The repo can be cloned with:
git clone git <at> the-dam.org:permaudit
without any issues.

However, when I use the package definition below, I get the following
error:
guix build: error: Git failure while fetching ssh://git <at> the-dam.org/permaudit: failed to start SSH session: Unable to exchange encryption keys

Some googling leads me to believe this is a mismatch between the
client's accepted ciphers and the server's accepted ciphers, but both
machines are up-to-date guix systems, so I'm not sure it's that.

I don't want to install an HTTP bridge, git is fine via SSH.

If anybody has any idea, I'm all hears.

Thanks !

Edouard.




(define-public permaudit
  (let ((revision "0")
        (commit "1cd9fe303076d7656469dbfc455d63aff70d62ed"))
    (package
      (name "permaudit")
      (version (git-version "20230714" revision commit))
      (source
       (git-checkout
        (url "ssh://git <at> the-dam.org/permaudit")
        (commit commit)))
      (build-system gnu-build-system)
      (arguments
       `(#:tests? #f                    ; no tests
         #:phases
         (modify-phases %standard-phases
           (replace 'configure          ; no configure script but taking this
                                        ; opportunity to replace the hard
                                        ; coded path to permaudit.sh
             (lambda* (#:key inputs outputs #:allow-other-keys)
               (let* ((out (assoc-ref outputs "out"))
                      (bin (string-append out "/bin"))
                      (bash (assoc-ref inputs "bash-minimal")))
                 (substitute* "permaudit_wrapper.c"
                   (("/usr/bin/permaudit.sh")
                    (string-append bin "/permaudit.sh"))
                   (("/bin/bash")
                    (string-append bash "/bin/bash")))
                 (substitute* "permaudit.sh"
                   (("/bin/bash")
                    (string-append bash "/bin/bash"))
                   (("find")
                    (string-append find "/bin/find"))))))
           (replace 'install            ; no install target
             (lambda* (#:key outputs #:allow-other-keys)
               (let* ((out (assoc-ref outputs "out"))
                      (bin (string-append out "/bin")))
                 ;; Those chmod won't be respected in the store anyway
                 ;; (the store is read-only, and you can't setuid a binary in it)
                 ;; but this is the spirit of upstream's makefile target "install"
                 (chmod "permaudit.sh" #o644)
                 (install-file "permaudit.sh" bin)
                 (chmod "permaudit" #o4754)
                 (install-file "permaudit" bin)))))))
      (inputs
       (list bash-minimal coreutils))
      (synopsis "Permission audit tool")
      (home-page "https://the-dam.org/docs/explanations/permaudit.html")
      (description
       "Permaudit lets you see who can read or write on the specified directory.")
      (license license:agpl3+))))

Message #8 received at 64648 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Edouard Klein <edou <at> rdklein.fr>
Cc: 64648 <at> debbugs.gnu.org
Subject: Re: bug#64648: Can't clone a git repo over anonymous SSH
Date: Thu, 20 Jul 2023 09:17:20 -0400

Hi,

Edouard Klein <edou <at> rdklein.fr> writes:

> Hi all !
>
> I'm trying to write a package for a repo that's accessible through an
> anonymous SSH access.
>
> The repo can be cloned with:
> git clone git <at> the-dam.org:permaudit
> without any issues.
>
> However, when I use the package definition below, I get the following
> error:
> guix build: error: Git failure while fetching ssh://git <at> the-dam.org/permaudit: failed to start SSH session: Unable to exchange encryption keys
>
> Some googling leads me to believe this is a mismatch between the
> client's accepted ciphers and the server's accepted ciphers, but both
> machines are up-to-date guix systems, so I'm not sure it's that.
>
> I don't want to install an HTTP bridge, git is fine via SSH.
>
> If anybody has any idea, I'm all hears.

Don't they also offer a HTTP(S) access?  I think libssh as used by
libgit2 expects an SSH agent running... I remember wresting with it in a
CI context.

-- 
Thanks,
Maxim

Message #11 received at 64648 <at> debbugs.gnu.org (full text, mbox):

From: Edouard Klein <edou <at> rdklein.fr>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: 64648 <at> debbugs.gnu.org
Subject: Re: bug#64648: Can't clone a git repo over anonymous SSH
Date: Mon, 31 Jul 2023 11:18:04 +0200

Hi !

>
> Don't they also offer a HTTP(S) access?  I think libssh as used by
> libgit2 expects an SSH agent running... I remember wresting with it in a
> CI context.

Well, "they" is me :) I finally opened up anonymous access via git://
but I'm not extatic about it, it's one more daemon that can be pwnd.

https://gitlab.com/edouardklein/guix/-/commit/40e320d14b4c583214cdbd45fb47453c5ebb762a

The dedicated service did not work so I rolled my own as a
sheperd-root-service. I did not have the time to look into the issue.

So the problem remains, but is less urgent because it has been worked
around for now. Fixing this upstream seems like a hard battle.

Message #14 received at 64648 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Edouard Klein <edou <at> rdklein.fr>
Cc: 64648 <at> debbugs.gnu.org
Subject: Re: bug#64648: Can't clone a git repo over anonymous SSH
Date: Tue, 01 Aug 2023 10:15:08 -0400

Hello,

Edouard Klein <edou <at> rdklein.fr> writes:

> Hi !
>
>>
>> Don't they also offer a HTTP(S) access?  I think libssh as used by
>> libgit2 expects an SSH agent running... I remember wresting with it in a
>> CI context.
>
> Well, "they" is me :) I finally opened up anonymous access via git://
> but I'm not extatic about it, it's one more daemon that can be pwnd.
>
> https://gitlab.com/edouardklein/guix/-/commit/40e320d14b4c583214cdbd45fb47453c5ebb762a
>
> The dedicated service did not work so I rolled my own as a
> sheperd-root-service. I did not have the time to look into the issue.
>
> So the problem remains, but is less urgent because it has been worked
> around for now. Fixing this upstream seems like a hard battle.

OK; I think the best course of action here would be to come up with a
minimal reproducer written in C using all the API available of libgit2
or libssh2 (which is used by libgit2) and report any issue to their
issue tracker and/or work toward a fix.

It'd be interesting to see how libssh compares, and perhaps attempting
to revive this pull request which adds 'libssh' as a backend to libgit2
here [0]

[0]  https://github.com/libgit2/libgit2/pull/5253

-- 
Thanks,
Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.