TeamCity seems unable to use RSA keys with new GitHub security
GitHub has engaged its 2nd phase of SSH protocol security, where they disable using SHA-1 with RSA keys. The OpenSSH client works OK with the RSA keys, but the org.jgit
one inside TeamCity is working no longer, getting:
Failed to collect changes, error: org.eclipse.jgit.errors.NoRemoteRepositoryException: git@github.com:Project/Repository.git: ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
How do I instruct TeamCity/JGit/JSch not using SHA-1 and using supported hashing instead?
I could possibly migrate to Ed25519 key, but it is not supported by our Windows agents, and I have to change all keys in the TeamCity once more, meaning I will have two problems.
Is there a practical way to make TeamCity friends with SSH RSA keys for GitHub in 2022? For reference, I am on 2021.2.1
.
Please sign in to leave a comment.
Hi! I am afraid you will need to update the keys. TeamCity 2021.2.1 supports the Ed25519 system. Could you expand on how your Windows agents do not support it?
Hello!
GitHub still supports RSA with git, but not with TeamCity.
We have updated git on Windows agent but it still refuses to work with Ed25519 keys. I think it is solvable, but the pain of cycling all keys in TeamCity will still be there even if we fix it.
Regards,
The key you are using with git could use a different hash function than SHA-1, e.g. SHA-2. If that's the case, that would explain why it works. Could you verify that?
The key you use in TeamCity has the SHA-1 function and GitHub does not allow such keys anymore.
Hello!
ssh-keygen uses rsa-sha2-512 by default so that's what the key expectedly had. But, I will recheck that.
Regards,
Anatoly Cherenkov SSH keys don't contain SHA hashes at all. SHA is a hashing function used in the process of creating a digital signature. SSH RSA keys are nothing more than an RSA key formated such that the SSH client can read them; they are not signed.
There is some confusion here because SSL Certificates (x509 certificates) do contain signatures and so previously we all had to make sure our SSL certificates did not contain an SHA1 hash. But this same issue doesn't exist for SSH because most of us don't use certificates with SSH.
What is a problem with SSH is that the authentication algorithm used by the SSH client uses SHA. Old SSH clients still try to authenticate themselves by signing an SHA-1 hash of a pre-determined challenge. This is what github is rejecting.
In short: The SSH keys are fine, it's the SSH client used by Teamcity that is broken / outdated.
Hi, thanks for explaining the problem. If you are seeing this issue, please update TeamCity to the current version.