Details
-
Bug
-
Resolution: Tracked Elsewhere
-
High
-
7.2.10
-
None
-
1
-
Severity 2 - Major
-
Description
Issue Summary
Cannot create new linked repositories with Bitbucket server after upgrade of Bamboo to 7.2.10 as Bamboo is not able to communicate to Bitbucket server through SSH_PROXY due to missing ssh_rsa hostkey algorithm in OpenSSH_8.9p1 version which is coming with docker image of Bamboo server version 7.2.10.
The issue occurs with the existing linked repositories as well.
Steps to Reproduce
- Pull the docker image atlassian/bamboo-server:7.2.10-jdk8 from docker hub registry.
- Create a docker container with the image and start the Bamboo instance.
- Create an Application link for the Bitbucket server (version 7.17.9).
- Try to create a linked repository from the Bamboo overview > linked repositories tab.
NOTE: This will also happen on non-docker instances considering OpenSSH is 8.8 or later as RSA signatures using the SHA-1 hash algorithm are now disabled by default.
Expected Results
- Linked repository should be created successfully with Bitbucket server.
Actual Results
- Throwing below error on Bamboo UI.
Unable to negotiate with 127.0.0.1 port 35937: no matching host key type found. Their offer: ssh-rsa fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
The below exception is thrown in the atlassian-bamboo.log file:2022-07-28 13:24:41,141 WARN [sshd-SshServer[1fea5ce6]-nio2-thread-6] [ServerSessionImpl] exceptionCaught(ServerSessionImpl[null@/127.0.0.1:54618])[state=Opened] IllegalStateException: Unable to negotiate key exchange for server host key algorithms (client: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 / server: ssh-rsa) 2022-07-28 13:24:41,143 DEBUG [http-nio-8085-exec-21] [SshProxy] Removing proxy user mapping: 582d287f-e4e1-4b2e-8960-763af8897a29 2022-07-28 13:24:41,149 INFO [http-nio-8085-exec-21] [BitbucketServerServerConfigurator] Can't authenticate with Bitbucket Server despite successful public key storage: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl2rNy50dvEaB4NVvsPtF/qCgTwrBVfdFVmzIiccKwdyQy0nggTMt5uNBTKusNCbqw4Ow0zWVhfQCYlH8YEKsNoJpfiEsNhsW+R0Hi7b1o1qiSm6ZOi5y1d+dr34Au8A1rPd/bUA/oW7XC47AOR8yB650HcaRTYPt1tVCRVpTr9m+GNQcsV3y09r/ydi79k7bMThPz+Ff74V3HkHRb3HJmwTF0SqqeuwwactxKOUIhlkjDhYhfzhHOPBXvh3goHcmgiAsl+OEgrj3XQ99dihKmcvlkM8saVaVcjDO6ctMTp85GIYLcJnQYXZ2eCMdnNMGdSCO/RbJYo6R1ysWAh2v5 http://bamboo7l:8085
Workarounds
- Re-enable the disabled signing algorithm in OpenSSH 8.8 and newer by including the following details inside the ~./ssh_config file to allow the use of ssh-rsa (SHA-1) for host and user authentication against Bitbucket:
Host 127.0.0.1 HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa
- OR: upgrade Bamboo to 8.0.4 or later