My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 3517: OpenSSH 7.0 dropped support for diffie-hellman-group1-sha1 - "no matching key exchange method"
28 people starred this issue and may be notified of changes. Back to list
Status:  ChangeUnderReview
Owner:  ----


Sign in to add a comment
 
Reported by t...@retout.co.uk, Aug 12, 2015
Affected Version: GerritCodeReview_2.11.2 (SSHD-CORE-0.14.0)

Steps to reproduce:

1. Update openssh client to 7.0
2. Try to 'git pull' from gerrit over ssh

Output:

$ git pull
Unable to negotiate with 192.168.1.101: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
fatal: Could not read from remote repository.

OpenSSH 7.0 dropped support for several ciphers: http://www.openssh.com/txt/release-7.0

Temporary workaround is to edit .ssh/config as described here: http://www.openssh.com/legacy.html

Aug 26, 2015
#1 gary.bea...@wandisco.com
This only appears to be a problem when you don't install the "Bouncy Castle Crypto SSL v151 libraries" at install time.

Once you put the missing libs in place;
bcpkix-jdk15on-151.jar
bcprov-jdk15on-151.jar

Gerrit should offer diffie-hellman-group14-sha1 which is still supported by OpenSSH 7+

Credit: WANdisco Engineering team.

Sep 9, 2015
#2 bernhard...@gmail.com
for me it helped to delete the ssh_host_key in the gerrit folder (for me: /var/lib/gerrit/etc/)
$ rm /var/lib/gerrit/etc/ssh_host_key
$ rm /usr/share/java/bcprov.jar   #delete old bouncy castle
$ java -jar /usr/share/java/gerrit/gerrit.war init -d /var/lib/gerrit
which asked to download the newest bouncy castle jars and regenerated the key.

now it works.
Oct 13, 2015
Project Member #3 dougk....@gmail.com
Agreed; having Bouncy Castle libraries installed will work with diffie-hellman-group14-sha1.  It shouldn't be necessary to regenerate the SSH keys (though I am working on a simple app to convert the "simple" RSA key to the ssh-keygen format in the event you want to add a DSA host key as well).

If you don't see diffie-hellman-group14-sha1 advertised, make sure you have the proper version of the Bouncy Castle libraries installed (removing them and running "gerrit init" should prompt you for the download, as I recall).
Nov 19, 2015
#4 Y2Ke...@gmail.com
Cross link WIP in review:
https://gerrit-review.googlesource.com/72261
Nov 19, 2015
Project Member #5 dougk....@gmail.com
(No comment was entered for this change.)
Status: ChangeUnderReview
Dec 1, 2015
#6 Y2Ke...@gmail.com
Just to clarify the work around.  For standalone/Jetty install (gerrit.sh), place the bouncy castle jar in <gerrit site>/lib/.  For tomcat (daemon.sh), you will have to place it where the actual war is deployed tomcat/webapps/<something>/WEB-INF/lib/ if your server is configured to unpackWar.
Sign in to add a comment

Powered by Google Project Hosting