unable to clone using SSH with RSA key pair

[ExpandingMan]

Hello, I was having a problem in the Julia libgit2 wrapper wherein I couldn't clone repos using the SSH protocol with a key pair. So, I installed pygit2 to see if I'd have the same problem and, lo and behold, it doesn't seem to be working.

I'm trying to clone with this script:

keypair = pygit2.Keypair("git", "id_emgitlab.pub", "id_emgitlab", "")
callbacks = pygit2.RemoteCallbacks(credentials=keypair)
pygit2.clone_repository(repo_url, "testrepo", callbacks=callbacks)

(repo_url is indeed the SSH link, not sure if it's still called a url).

It hangs for a really long time and then returns the following stack trace:

GitError                                  Traceback (most recent call last)
~/testpull.py in <module>()
      7 callbacks = pygit2.RemoteCallbacks(credentials=keypair)
      8 
----> 9 pygit2.clone_repository(repo_url, "testrepo", callbacks=callbacks)

/usr/lib/python3.7/site-packages/pygit2/__init__.py in clone_repository(url, path, bare, repository, remote, checkout_branch, callbacks)
    261         raise d['exception']
    262 
--> 263     check_error(err)
    264 
    265     return Repository._from_c(crepo[0], owned=True)

/usr/lib/python3.7/site-packages/pygit2/errors.py in check_error(err, io)
     62 
     63     # Generic Git error
---> 64     raise GitError(message)
     65 
     66 # Indicate that we want libgit2 to pretend a function was not set

GitError: Failed to authenticate SSH session: Unable to send userauth-publickey request

I've tried many different configurations of file permissions on the keys (though most of them not for the Python pull).

[cdalvaro]

Same issue with saltstack and gitfs over pygit2

Failed to authenticate SSH session: Unable to send userauth-publickey request
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/salt/utils/gitfs.py", line 1703, in _fetch
    fetch_results = origin.fetch(**fetch_kwargs)
  File "/usr/local/lib/python3.6/dist-packages/pygit2/remote.py", line 405, in fetch
    check_error(err)
  File "/usr/local/lib/python3.6/dist-packages/pygit2/errors.py", line 64, in check_error
    raise GitError(message)
_pygit2.GitError: Failed to authenticate SSH session: Unable to send userauth-publickey request

salt --versions
Salt Version:
           Salt: 2018.3.3

Dependency Versions:
           cffi: 1.11.5
       cherrypy: Not Installed
       dateutil: Not Installed
      docker-py: Not Installed
          gitdb: 2.0.5
      gitpython: 2.1.11
          ioflo: Not Installed
         Jinja2: 2.10
        libgit2: 0.27.7
        libnacl: Not Installed
       M2Crypto: 0.30.1
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.5.6
   mysql-python: Not Installed
      pycparser: 2.19
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: 0.27.2
         Python: 3.6.6 (default, Sep 12 2018, 18:26:19)
   python-gnupg: Not Installed
         PyYAML: 3.12
          PyZMQ: 16.0.2
           RAET: Not Installed
          smmap: 2.0.5
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.2.5

System Versions:
           dist: Ubuntu 18.04 bionic
         locale: ANSI_X3.4-1968
        machine: x86_64
        release: 4.9.93-linuxkit-aufs
         system: Linux
        version: Ubuntu 18.04 bionic

[cdalvaro]

Although I don't really know if it was the fix, the following actions solved my problem:

1. I create a new ssh key

ssh-keygen -f gitfs_ssh -C '[email protected]'

2. Then, I read that an empty line at the end of the private key could be fatal for libssh2, so I removed the empty lines at the bottom of the file (added by ssh-keygen at creation time) and then the new key began to work.

I hope this information can help you.

[woopstar]

Just an update. On MacOS the default format changed, so you need to pass the -m PEM option to ssh-keygen

[raddessi]

We're currently getting this same error, just from a slightly different location in the code. Same issue though, we are trying to clone a repo using an RSA key for our salt server. I have reproduced using only pygit2 though, and a major difference may be that we are using gerrit as the git backend.

Code

import pygit2

keypair = pygit2.Keypair(username="user", pubkey="/path/to/key.pub", privkey="/path/to/key", passphrase="")
callbacks = pygit2.RemoteCallbacks(credentials=keypair)
pygit2.clone_repository("ssh://user@gerrit-server/repo", "pygit2.git", callbacks=callbacks)

Traceback

Traceback (most recent call last):
  File "./test.py", line 8, in <module>
    pygit2.clone_repository("ssh://user@gerrit-server/repo", "pygit2.git", callbacks=callbacks)
  File "/XXX/lib/python3.6/site-packages/pygit2/__init__.py", line 263, in clone_repository
    check_error(err)
  File "/XXX/lib/python3.6/site-packages/pygit2/errors.py", line 64, in check_error
    raise GitError(message)
_pygit2.GitError: Failed to authenticate SSH session: Unable to send userauth-publickey request

I'm not sure how best to troubleshoot this yet, if you have any tips I would love to hear them.

EDIT: Sorry, I forgot to add the versions I'm running.

pygit2==0.28.2
libgit2-0.26.6-1.el7.x86_64
libssh2-1.4.3-12.el7_6.2.x86_64

I have tested with a few older versions of pygit2 (like 0.26.4) and they have failed as well just with different errors.

[javierbertoli]

Got hit by this issue today, trying to install a salt server with gitfs remotes on a freshly installed Debian Buster host.

Versions:

python3-pygit2                        0.27.4-1
libgit2-27:amd64                      0.27.7+dfsg.1-0.2
libssh2-1:amd64                       1.8.0-2.1

tried newer versions of all the packages, even older (one up, one down), same error.

Finally, comparing with a working salt server, found the only difference: in the working salt server, the ssh RSA key length was 2048 bits, while in the new one the key was 4096 bits.

Created a new 2048 bits RSA key, used it and all begun working correctly.

Hope this helps.

[jdavid]

These are libssh2 issues, not libgit2/pygit2. My advice is to use the latest version of libssh2: 1.9.0
The pygit2 Linux wheels include libgit2 with libssh2 1.9.0 statically linked.