Local Registry RSA key Problem

Tooling
,
1

Hello,

I have set up a private local registry with which to share packages with some collaborators. When I set the registry up I had to create and add a new SSH key to my github account because according to the local registry documentation you have to use one with the PEM format. I created the SSH key using the command (given from the docs)

ssh-keygen -t rsa -b 4096 -m PEM

I just tried to test my package (e.g. using MyPackage in a script) and I got the following error (note my local registry has already been added on this PC, I can see it when I looked in .julia/registries/)

ERROR: failed to clone from git@github.com:MyUserName/MyPackage.jl.git, error: GitError(Code:EEOF, Class:SSH, ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.

Should I:

  • try to reformat an existing key that is in the ed25519 format into PEM? The ssh-keygen manual entry mentions this
  • Create a new key in the ed25519 format somewhere other than .ssh/ (to avoid overwriting existing keys) and add that to my github account? Something like ssh-keygen -t ed25519 -b 4096 -m PEM
2

There is an issue with some suggestions on what you could do https://github.com/JuliaLang/Pkg.jl/issues/3030

1 Like
3

export JULIA_PKG_USE_CLI_GIT=true appears to have fixed it for me. Thanks for pointing that out!

1 Like
4

I can expand on this.

  1. JULIA_PKG_USE_CLI_GIT is the preferred solution and documented in https://github.com/GunnarFarneback/LocalRegistry.jl/blob/master/docs/ssh_keys.md#2-using-an-external-git-binary-with-julias-package-manager. The main limitation is that it’s only available from Julia 1.7 and, obviously, requires an external git installation.
  2. ssh-keygen -t rsa -b 4096 -m PEM still generates a key which Julia Pkg can use with libgit2/libssh2. However, GitHub will not accept the key, but if you’re using it with other git services they may be more accepting.
  3. There is no other key type that can be used with existing Julia binary downloads through libgit2/libssh2. Although version 1.9.0 of libssh2 does support ECDSA keys, that requires a specific crypto backend, which is not the one Julia is built with.
  4. If you build Julia yourself, it should be possible to configure it so that libssh2 understands ECDSA keys.
  5. libssh2 master 1.10.0 contains support for ECDSA keys with the mbedtls backend, which Julia uses, assuming everything is built with the appropriate feature enabled. This may eventually make its way into Julia’s binary downloads. This will be available for Julia 1.8 and later (and is already available in Julia 1.8-beta1). You may want to set the environment variable SSH_KEY_PATH to point to your ECDSA key.
  6. If you do try to use a non-RSA key with Julia you will get repeatedly prompted for the key location. The first time this is because it indeed doesn’t know where the key is (unless you have told it with SSH_KEY_PATH and SSH_PUB_KEY_PATH) but all the following times it is because libssh2 hasn’t been built with support for reading the key. Yes, this is a very unhelpful behavior and you can only find out what’s going on by patching libssh2.
  7. See item 1. There’s a possibility that this option could be backported to a future 1.6.x release. This has been backported and will be available in Julia 1.6.6.
8 Likes
5

@GunnarFarneback, I cannot thank you more about the deep dive on this issue. I was recently trying to perform Git tasks using LibGit2 as described here, and your thorough analysis on the issue was crucial in finding a solution. For other people, here is the set up that worked for me to use LibGit2.

(1) Create the SSH private–public key pair of type ECDSA by

ssh-keygen -t ecdsa -C "<your email address>"

This generates id_ecdsa (private key) and id_ecdsa.pub (public key) in $HOME/.ssh/ directory.

(2) Let Julia know about the location of the created private and public keys by adding the following lines in $HOME/.julia/config/startup.jl:

ENV["SSH_PUB_KEY_PATH"] = joinpath(homedir(), ".ssh", "id_ecdsa.pub")
ENV["SSH_KEY_PATH"] = joinpath(homedir(), ".ssh", "id_ecdsa")

(3) Add the Git hosting service (like the public GitHub or your organization’s internal GitHub Enterprise) to $HOME/.ssh/known_hosts. For example, for the public GitHub, this can be done by

ssh-keyscan www.github.com >> $HOME/.ssh/known_hosts

After (1)–(3), I didn’t have to put

ENV["JULIA_PKG_USE_CLI_GIT"] = true

in $HOME/.julia/config/startup.jl anymore, because this line was needed for using the command-line Git rather than LibGit2. I think I initially put this line in order to use the package manager in the situation where LibGit2 didn’t work, but now I wanted to use LibGit2 outside the package manager, for which the line didn’t help.

I note that the setup described here would work only for Julia version ≥ 1.8, which uses libssh2 that supports ECDSA-type keys as pointed out in Item 5 of @GunnarFarneback’s analysis above.

2 Likes