I cannot pull from src.fedoraproject.org:
❯ git pull Unable to negotiate with 38.145.60.17 port 22: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ssh-rsa,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
Verbose log:
❯ ssh -vvv defolos@pkgs.fedoraproject.org OpenSSH_8.8p1, OpenSSL 3.0.5 5 Jul 2022 debug1: Reading configuration data /home/dan/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 4: Applying options for * debug3: kex names ok: [curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256] debug1: /etc/ssh/ssh_config line 11: Deprecated option "useroaming" debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/dan/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/dan/.ssh/known_hosts2' debug2: resolving "pkgs.fedoraproject.org" port 22 debug3: resolve_host: lookup pkgs.fedoraproject.org:22 debug3: ssh_connect_direct: entering debug1: Connecting to pkgs.fedoraproject.org [38.145.60.17] port 22. debug3: set_sock_tos: set socket 3 IP_TOS 0x48 debug1: Connection established. debug1: identity file /home/dan/.ssh/id_rsa type 0 debug1: identity file /home/dan/.ssh/id_rsa-cert type -1 debug1: identity file /home/dan/.ssh/id_dsa type -1 debug1: identity file /home/dan/.ssh/id_dsa-cert type -1 debug1: identity file /home/dan/.ssh/id_ecdsa type -1 debug1: identity file /home/dan/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/dan/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/dan/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/dan/.ssh/id_ed25519 type 3 debug1: identity file /home/dan/.ssh/id_ed25519-cert type -1 debug1: identity file /home/dan/.ssh/id_ed25519_sk type -1 debug1: identity file /home/dan/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/dan/.ssh/id_xmss type -1 debug1: identity file /home/dan/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0 debug1: compat_banner: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to pkgs.fedoraproject.org:22 as 'defolos' debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,ext-info-c debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr debug2: MACs ctos: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com debug2: MACs stoc: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: compression ctos: none,zlib@openssh.com debug2: compression stoc: none,zlib@openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: (no match) Unable to negotiate with 38.145.60.17 port 22: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ssh-rsa,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com
my ssh_config:
ssh_config
❯ cat /etc/ssh/ssh_config # # Custom crypto settings # Host * HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr UseRoaming no GlobalKnownHostsFile /etc/ssh/ssh_known_hosts SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL
Preferably in the next few days as I need to update emacs very urgently.
So doing research, I don't know how this worked in the past. I looked at the logs and since IT rolled out the ed25519 algorithms since 2020, pkgs01 and pagure01 have been explicitly turned off from using ed25519. While updates were done on the host yesterday and there were changes to the basessh template, I do not see them changing where ed25519 would stop working.
Metadata Update from @phsmoura: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: medium-gain, medium-trouble, ops
To be clear: this used to work fine for you, but now does not?
Can you try again now?
Yes, a week ago it worked just fine.
It still doesn't work unfortunately.
ok, can you try again now?
It's still broken, but I was able to work around via this entry in ~/.ssh/config:
HOST pkgs.fedoraproject.org HostKeyAlgorithms rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
Huh, well, I am not at all sure what would have changed... but I guess you are working again, and I have not seen anyone else with issues, so lets go ahead and close this out.
Thanks for your patience.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.