Issue while cloning git repository from business-central console using ssh protocol.

Solution Unverified - Updated 17 Jun 2024

Environment

Red Hat JBoss BPM Suite
- 6.2.x
- 6.3.x
- 6.4.x
Red Hat JBoss BRMS
- 6.2.x
- 6.3.x
- 6.4.x

Issue

Some systems are not longer using ssh-dss by default, which results in some issues like:

Client side:

[lazarotti@mackoy-note git-test]$ git clone ssh://lazarotti@localhost:8001/gss-repo
Cloning into 'gss-repo'...
Unable to negotiate with 127.0.0.1: no matching host key type found. Their offer: ssh-dss
fatal: Could not read from remote repository."

Server side:

WARN  [org.apache.sshd.server.session.ServerSession] (sshd-SshServer[847507d]-nio2-thread-2) Exception caught: java.lang.IllegalStateException: Unable to negotiate key exchange for server host key algorithms (client: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa / server: ssh-dss)
	at org.apache.sshd.common.session.AbstractSession.negotiate(AbstractSession.java:1109) [sshd-core-0.12.0.jar:0.12.0]
	at org.apache.sshd.common.session.AbstractSession.doHandleMessage(AbstractSession.java:357) [sshd-core-0.12.0.jar:0.12.0]
	at org.apache.sshd.common.session.AbstractSession.handleMessage(AbstractSession.java:295) [sshd-core-0.12.0.jar:0.12.0]

Resolution

BxMS 6.2.x

Users of BPM Suite / BRMS 6.2 are required to change the client side configuration to enforce the usage of ssh-dss:

Alter the configuration of ssh client to accept that security configuration:

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PreferredAuthentications=password -oHostKeyAlgorithms=+ssh-dss  -l admin -p 8101 localhost

or:

Create config file under ~/.ssh/ directory for a global configuration.

Host localhost
    VerifyHostKeyDNS no
    StrictHostKeyChecking no
    HostKeyAlgorithms +ssh-dss
    UserKnownHostsFile /dev/null

For windows environment we can update this ssh configuration at <installPath>\Git\etc\ssh\ssh_config

BxMS 6.3.x and later

Users of BPM Suite / BRMS 6.3 and later versions can still use the client side approach outlined above, but could alternatively change the server side configuration to force the usage of RSA:

Follow the instructions from this KBase article on how to register the BouncyCastle security provider in the JRE. Note that installing the library as module should not be necessary.
Force the usage of RSA by adding the following system property to the server configuration:

    <system-properties>
        <property name="org.uberfire.nio.git.ssh.algorithm" value="RSA"/>
    </system-properties>

Remove the .security/hostkey.ser file which can be found in the folder where BxMS was started from.

Root Cause

This is an issue with BPMS 6.2 which is tracked in bugzilla This content is not included.BZ-1294690.

SBR

Business Rule Frameworks

Product(s)

Components

jbossas

Category

Learn more

Tags

decision manager

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.