Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-5472

Stash's SSH does not correctly support rekeying and fails clones with protocol error

XMLWordPrintable

      Rekeying is meant to happen after 1G of data transferred or 1 hour of connectivity. MINA 0.9.0 does not correctly handle rekeying. There is code that purports to support it but it fails in practice. Work has been done in more recent versions of MINA to both better support client-initiated rekeying (which the server cannot ignore) and to add basic support for server-initiated rekeying. We should upgrade.

      To reproduce, in ~/.ssh/config add the following and attempt to clone using SSH:

      Host stashhost
         LogLevel DEBUG3
         RekeyLimit 1K
      
      git clone ssh://git@stashhost:7999/stash/stash.git
      ...
      trace: built-in: git 'index-pack' '--stdin' '-v' '--fix-thin' '--keep=fetch-pack 68366 on baboomacbookpro.local'
      remote: Counting objects: 692305, done.
      debug1: need rekeyingbjects:   1% (2250/224972)
      debug1: SSH2_MSG_KEXINIT sent  2% (4500/224972)
      debug1: rekeying in progress
      debug1: rekeying in progress
      debug1: SSH2_MSG_KEXINIT received
      debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
      debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss
      debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
      debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
      debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
      debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
      debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
      debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
      debug2: kex_parse_kexinit:
      debug2: kex_parse_kexinit:
      debug2: kex_parse_kexinit: first_kex_follows 0
      debug2: kex_parse_kexinit: reserved 0
      debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
      debug2: kex_parse_kexinit: ssh-rsa
      debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,3des-cbc,blowfish-cbc
      debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,3des-cbc,blowfish-cbc
      debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-md5-96,hmac-sha1-96
      debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-md5-96,hmac-sha1-96
      debug2: kex_parse_kexinit: none
      debug2: kex_parse_kexinit: none
      debug2: kex_parse_kexinit:
      debug2: kex_parse_kexinit:
      debug2: kex_parse_kexinit: first_kex_follows 0
      debug2: kex_parse_kexinit: reserved 0
      debug2: mac_setup: found hmac-md5
      debug1: kex: server->client aes128-ctr hmac-md5 none
      debug2: mac_setup: found hmac-md5
      debug1: kex: client->server aes128-ctr hmac-md5 none
      debug2: dh_gen_key: priv key bits set: 129/256
      debug2: bits set: 982/2048
      debug1: sending SSH2_MSG_KEXDH_INIT
      debug1: expecting SSH2_MSG_KEXDH_REPLY
      Disconnecting: Protocol error: expected packet type 31, got 94
      fatal: The remote end hung up unexpectedly
      fatal: early EOF
      fatal: recursion detected in die handler
      

      Workaround Git 1.8+:

      #find the highest N that will work
      git clone --depth N  ssh://git@stashhost:7999/stash/stash.git
      git fetch --unshallow
      

      Workaround for Git 1.7 and earlier:

      #find the highest N that will work
      git clone --depth N  ssh://git@stashhost:7999/stash/stash.git
      git fetch --depth=2147483647
      

              mstudman Michael Studman (Inactive)
              mstudman Michael Studman (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: