CC key issue

CodeCommit key issue #

Things stopped working for some reason. There is some key-issue.

Unable to negotiate with 52.94.204.165 port 22: no matching host key type found. Their offer: ssh-rsa
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.`

# checking ~/.ssh/config
Host git-codecommit.*.amazonaws.com
    User <OBFUSCATED>
    IdentityFile ~/.ssh/codecommit_rsa
    
# Some further debugging
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 52.95.20.253 port 22: no matching host key type found. Their offer: ssh-rsa

Checking AWS-console This used to work for two end-points, now it suddenly fails for both. Uploading pub_key, getting a new User keywhile deleting the old one. Substituted User in .ssh/config => still didn’t work, same error. Checking docs, regenerating key. ssh-keygen -t rsa -b 4096

Still doesn’t work. Turns out ssh-rsa has been deemed insecure and an arch-update for open-ssl must have changed the behavior, now refusing ssh-rsa. I had to add HostKeyAlgorithms +ssh-rsa to config file for the CodeCommit entry. Also needed PublicAcceptedKeyTypes +ssh-rsa to get CodeCommit back up and running.

Issue: Re-enabling ssh-rsa support is a security risk, and should only be done as a temporary measure/workaround while affected users switch to a key generated using a more secure algorithm. Resolution The recommended strategy to fully resolve this issue is to regenerate the deprecated keys using a supported and more secure algorithm such as ECDSA and ED25519: Obviously CodeCommit has to support this new workflow to make that happen. The initial error message indicates that they don’t (they only offer ssh-rsa atm).

Another couple of hours through the drain which raises the question. Is awareness of such issues in an early stage worth running into them before they’re solved and properly documented in the back-end? It might be just for security sake but it’s bad for productivity. Our CSO will have an opinion, our CFO will have another. Running stable or running on the edge that’s the question which still remains to be answered.


#############
# CodeCommit
#############

Host git-codecommit.*.amazonaws.com
    User <OBFUSCATED>
    IdentityFile ~/.ssh/codecommit_rsa
    HostKeyAlgorithms +ssh-rsa
    PubkeyAcceptedKeyTypes +ssh-rsa

And then:

ssh <OBFUSCATED>@git-codecommit.us-east-2.amazonaws.com                        (:|✔)  2:19PM
You have successfully authenticated over SSH. You can use Git to interact with AWS CodeCommit. Interactive shells are not supported.Connection to git-codecommit.us-east-2.amazonaws.com closed by remote host.
Connection to git-codecommit.us-east-2.amazonaws.com closed.

How to check:

[mos@myth ~]$ # github, gitlab got things solved, bitbucket (still supports ssh-rsa), codecommit only supports ssh-rsa causing badkeyexchange
[mos@myth ~]$ ssh -v git-codecommit.us-east-2.amazonaws.com
...
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
...
[mos@myth ~]$ ssh -v repo1.github.com
...
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
...
ssh -v bitbucket.com
...
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 18.205.93.3 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
...
ssh -v gitlab.com
...
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
...