要約

Users may face a "no kex alg" error while performing git clone from RHEL/CentOS 5. 

環境

7.17.0

Client : RHEL/CentOS 5

診断

git clone ssh://git@host.docker.internal:8004/test/tda.git
Cloning into 'tda'...
no kex alg
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

原因

Currently, Bitbucket bundle with Apache SSHD 2.8+ which no longer supports SHA1-based key exchanges by default. However, there are some systems that still use these SHA1 algorithms like in this case.

ソリューション

The solution is to upgrade the Bitbucket to one of the latest versions or upgrade the RHEL5 to a higher release like RHEL6 +.

A new boolean property plugin.ssh.dhgex.allow-sha1 was implemented for the fixed versions (Bitbucket 7.20.0, 7.19.3, 7.17.5) . Setting this property to true allows the usage of the following DH SHA1 key exchange algorithms.

• diffie-hellman-group1-sha1
• diffie-hellman-group14-sha1
• diffie-hellman-group-exchange-sha1

The default value currently set to true in above versions so no need to explicitly set the value in the bitbucket.properties file. However, this default value will be changed to false in the Bitbucket version 8.0 major release but will still be configurable by Bitbucket Server admins. Furthermore, this property may be removed in future 8.x releases if the version of Apache SSHD used by then also fully removes these insecure algorithms.