salt: Unable to access GitHub since algorithm changes: failed to start SSH session: Unable to exchange encryption keys
Description of Issue/Question
When executing salt-run fileserver.update, I get:
[ERROR ] Error occurred fetching gitfs remote 'git@github.com:org/repo-c.git': failed to start SSH session: Unable to exchange encryption keys
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/salt/utils/gitfs.py", line 1549, in _fetch
fetch_results = origin.fetch(**fetch_kwargs)
File "/usr/lib64/python2.7/dist-packages/pygit2/remote.py", line 405, in fetch
check_error(err)
File "/usr/lib64/python2.7/dist-packages/pygit2/errors.py", line 64, in check_error
raise GitError(message)
GitError: failed to start SSH session: Unable to exchange encryption keys
True
Setup
We have 3 repos, repo-a and repo-b which are public and repo-c which is private.
repo-a and repo-b are used for Salt config, repo-c is used for Salt and Pillar.
We’re using gitfs, for both Salt and for Pillar:
gitfs_provider: pygit2
#
# When using the git fileserver backend at least one git remote needs to be
# defined. The user running the salt master will need read access to the repo.
#
# The repos will be searched in order to find the file requested by a client
# and the first repo to have the file will return it.
# When using the git backend branches and tags are translated into salt
# environments.
# Note: file:// repos will be treated as a remote, so refs you want used must
# exist in that repo as *local* refs.
gitfs_remotes:
- https://github.com/org/repo-a
- https://github.com/org/repo-b
- git@github.com/org/repo-c.git:
- root: salt
- pubkey: /root/.ssh/id_rsa.pub
- privkey: /root/.ssh/id_rsa
git_pillar_pubkey: /root/.ssh/id_rsa.pub
git_pillar_privkey: /root/.ssh/id_rsa
git_pillar_provider: pygit2
ext_pillar:
- git:
- master git@github.com:org/repo-c.git:
- root: pillar
As of yesterday, salt-run fileserver.update fails. I believe, due to this change: https://github.com/blog/2507-weak-cryptographic-standards-removed
According to this comment https://github.com/saltstack/salt/issues/38066#issuecomment-367834402, and the below responses, upgrading to libssh2 seems to solve the problem.
However, I don’t seem to be able to upgrade libssh2 - I’m running the Amazon Linux AMI and it’s on its latest version (1.4.2-2.13.amzn1).
Oddly, commenting out repo-c from the gitfs configuration but leaving it in the pillar configuration appears to work fine.
I’ve also attempted to switch to GitPython, changing the gitfs configuration to:
gitfs_provider: gitpython
#
# When using the git fileserver backend at least one git remote needs to be
# defined. The user running the salt master will need read access to the repo.
#
# The repos will be searched in order to find the file requested by a client
# and the first repo to have the file will return it.
# When using the git backend branches and tags are translated into salt
# environments.
# Note: file:// repos will be treated as a remote, so refs you want used must
# exist in that repo as *local* refs.
gitfs_remotes:
- ssh://git@github.com/org/repo-a.git
- ssh://git@github.com/org/repo-b.git
- ssh://git@github.com:org/repo-c.git:
- root: salt
This also does not work, unless I do the following:
GIT_SSH_COMMAND=~/git.sh salt-run fileserver.update
where git.sh looks like this:
exec /usr/bin/ssh -o StrictHostKeyChecking=no "$@"
We’ve also tried changing the ~/.ssh/config to include specific key algorithms but this ssh_config appears to be ignored.
For instance:
Host github.com
Hostname localhost
… shows the same errors (even though I’d expect it to fail in some other way).
SSH and Git from the command line work fine:
ssh -T git@github.com
Hi <user>! You've successfully authenticated, but GitHub does not provide shell access.
Steps to Reproduce Issue
Execute salt-run fileserver.update -l debug
[DEBUG ] Reading configuration from /etc/salt/master
[DEBUG ] Using cached minion ID from /etc/salt/minion_id: ip-aa-bb-cc-dd.eu-west-1.compute.internal
[DEBUG ] Missing configuration file: /root/.saltrc
[DEBUG ] Configuration file path: /etc/salt/master
[WARNING ] Insecure logging configuration detected! Sensitive data may be logged.
[DEBUG ] LazyLoaded fileserver.update
[DEBUG ] Reading configuration from /etc/salt/master
[DEBUG ] Including configuration from '/etc/salt/minion.d/_schedule.conf'
[DEBUG ] Reading configuration from /etc/salt/minion.d/_schedule.conf
[DEBUG ] Using cached minion ID from /etc/salt/minion_id: ip-aa-bb-cc-dd.eu-west-1.compute.internal
[DEBUG ] Reading configuration from /etc/salt/master
[DEBUG ] Please install 'virt-what' to improve results of the 'virtual' grain.
[DEBUG ] MasterEvent PUB socket URI: /var/run/salt/master/master_event_pub.ipc
[DEBUG ] MasterEvent PULL socket URI: /var/run/salt/master/master_event_pull.ipc
[DEBUG ] Popen(['git', 'version'], cwd=/var/cache/salt/master, universal_newlines=False, shell=None)
[INFO ] git version -> 0; stdout: 'git version 2.13.6'
[DEBUG ] Popen(['git', 'version'], cwd=/var/cache/salt/master, universal_newlines=False, shell=None)
[INFO ] git version -> 0; stdout: 'git version 2.13.6'
[DEBUG ] Initializing new IPCClient for path: /var/run/salt/master/master_event_pull.ipc
[DEBUG ] Sending event: tag = salt/run/20180223124139527449/new; data = {'fun': 'runner.fileserver.update', 'fun_args': [], 'jid': '20180223124139527449', 'user': 'root', '_stamp': '2018-02-23T12:41:39.935851'}
[DEBUG ] pygit2 gitfs_provider enabled
[DEBUG ] LazyLoaded git.envs
[DEBUG ] Updating git fileserver cache
[DEBUG ] Set update lock for gitfs remote 'https://github.com/org/repo-a'
[DEBUG ] Fetching gitfs remote 'https://github.com/org/repo-a'
[DEBUG ] gitfs remote 'https://github.com/org/repo-a' is up-to-date
[DEBUG ] Removed update lock for gitfs remote 'https://github.com/org/repo-a'
[DEBUG ] Set update lock for gitfs remote 'https://github.com/org/repo-b'
[DEBUG ] Fetching gitfs remote 'https://github.com/org/repo-b'
[DEBUG ] gitfs remote 'https://github.com/org/repo-b' is up-to-date
[DEBUG ] Removed update lock for gitfs remote 'https://github.com/org/repo-b'
[DEBUG ] Set update lock for gitfs remote 'git@github.com:org/repo-c.git'
[DEBUG ] Fetching gitfs remote 'git@github.com:org/repo-c.git'
[ERROR ] Error occurred fetching gitfs remote 'git@github.com:org/repo-c.git': failed to start SSH session: Unable to exchange encryption keys
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/salt/utils/gitfs.py", line 1549, in _fetch
fetch_results = origin.fetch(**fetch_kwargs)
File "/usr/lib64/python2.7/dist-packages/pygit2/remote.py", line 405, in fetch
check_error(err)
File "/usr/lib64/python2.7/dist-packages/pygit2/errors.py", line 64, in check_error
raise GitError(message)
GitError: failed to start SSH session: Unable to exchange encryption keys
[DEBUG ] Removed update lock for gitfs remote 'git@github.com:org/repo-c.git'
[DEBUG ] LazyLoaded local_cache.prep_jid
[DEBUG ] Sending event: tag = salt/run/20180223124139527449/ret; data = {'fun_args': [], 'jid': '20180223124139527449', 'return': True, 'success': True, '_stamp': '2018-02-23T12:41:41.815482', 'user': 'root', 'fun': 'runner.fileserver.update'}
[DEBUG ] LazyLoaded nested.output
True
[INFO ] Runner completed: 20180223124139527449
[DEBUG ] Runner return: True
Versions Report
Master:
Salt Version:
Salt: 2017.7.3
Dependency Versions:
cffi: 1.10.0
cherrypy: Not Installed
dateutil: 2.1
docker-py: Not Installed
gitdb: 2.0.3
gitpython: 2.1.8
ioflo: Not Installed
Jinja2: 2.7.2
libgit2: 0.26.0
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.6
mysql-python: Not Installed
pycparser: 2.18
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: 0.26.3
Python: 2.7.13 (default, Jan 31 2018, 00:17:36)
python-gnupg: 0.4.1
PyYAML: 3.10
PyZMQ: 14.5.0
RAET: Not Installed
smmap: 2.0.3
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.0.5
System Versions:
dist:
locale: UTF-8
machine: x86_64
release: 4.9.27-14.31.amzn1.x86_64
system: Linux
version: Not Installed
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 2
- Comments: 30 (15 by maintainers)
You do not have to make it id_rsa, you can add this to your
/root/.ssh/configto use GitPythonAnd it will also work, git python just uses the git binary directly, so it will use the regular ssh on the system, which will use the .ssh/config file.
If you need multiple deployment keys, you can setup deployment aliases in .ssh/config
And then set them up as
I was unable to get the code from @deuscapturus to work (no .so files were generated) - but I’ve managed to replace all our PyGit2 configuration with GitPython.
… and that seems to work.
I had to explicitly make the key we use to access repo-c (the private one) the id_rsa/id_rsa.pub and remove
git_pillar_pubkeyandgit_pillar_privkeyto avoid errors on start.We compiled from current master of libssh2. This resolved the issue.
This is super hacky! DO AT YOUR OWN RISK
If you are using RedHat, you should have a contract with them, certainly you could open a ticket in their bugzilla and ask.
I’m tearing my hair out trying to get pygit2 working with CentOS and ssh authentication against github. It was working fine with the standard yum package python-pygit2 until the recent github changes. I’m now trying to recompile everything with libssh2 1.8.0 but haven’t been able to find something that works yet. The salt master seems unable to detect that pygit2 is available. “No suitable gitfs provider module is installed” is logged, even though fileserver.update seems to work.
salt-master --versions-report:
Here’s how I installed pygit2:
When I manually run fileserver.update it seems to work.
But in the salt master logs after restarting the service:
Edit: I’ve finally gotten it to work with a variation of duescapturus’ suggestion. I had the same problem as edhgoose (no .so files were generated) but this worked:
After running the above the salt master was able to get files from github. This is still very hacky though obviously.
Ubuntu 17.10 also has the updated version of libssh2 in its repos. So if you can upgrade your salt-master to that, it’s another path to get your gitfs/git pillars working.
I built a new Salt master today and ran into this issue again due to the latest release of pygit2 v0.26.4. I’m not sure if it’s compatible with Salt 2018.3.2. I ended up getting around this problem by installing pygit2 v0.26.3 which was harder than you would think because 0.26.4 is the only version available via yum.
Note: This fix needs to be applied in addition to the one in my earlier comment.
Also that token should be fixed, so you should be able to sign up now for the community slack