Launchpad itself

bzr pull - no matching host key type found. Their offer: ssh-rsa

Asked by Arthur Borsboom

I use bzr to maintain an application called Xpad.
The following two commands don't work anymore.

# Checkout new branch
bzr branch lp:xpad

# Pull last changes into existing local branch
bzr pull

The error message is:

Unable to negotiate with 91.189.95.84 port 22: no matching host key type found. Their offer: ssh-rsa

I believe SHA1 has been deprecated/disabled in OpenSSH for security reasons (SHA1 is insecure).
I don't want to enable it, since it has been disabled for obvious reasons.

What is a good approach to continue maintaining this application?
Is there a known migration path to another platform?

Question information

Language:
English Edit question
Status:
Solved
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Solved by:
Arthur Borsboom
Solved:
Last query:
Last reply:
Revision history for this message
Colin Watson (cjwatson) said : 		#1

I'm hoping we'll be able to get this working at some point in the next month or so (we've done some of the preliminary work in Twisted upstream, but it still needs a bit more, and then we need to backport all the changes into Launchpad's Twisted installation), but at present the only option is to re-enable SHA-1. You can use a Match block in ~/.ssh/config to do that just for bazaar.launchpad.net, which significantly limits the risk involved.

Revision history for this message
Arthur Borsboom (arthurborsboom) said : 		#2

Hi Colin,

Thanks for swift answer.

It is not the solution I hoped for, but hey, I am happy someone is working on it.
I have enabled the deprecated unsafe algorithm.

For other readers, I have edited the file '~/.ssh/config' and added the following portion to it.

Host bazaar.launchpad.net
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa

Please give me a heads up when I can undo this workaround.

Revision history for this message
Colin Watson (cjwatson) said : 		#3

You can undo this workaround now - bazaar.launchpad.net now supports RSA SHA-2 signatures.

Revision history for this message
Arthur Borsboom (arthurborsboom) said : 		#4

Hi Colin,

I have removed the workaround and bzr is still working.
Thanks for reporting back and the related work.

Cheers,
Arthur.