Git SSH client throws "No suitable primes found - failing" error
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
要約
When trying to Git SSH (clone/pull/push) from a Git client to Bitbucket on-premise, the following ERROR entry is thrown in the Bitbucket application logs referring to a "No suitable primes found"
2021-xx-xx 08:xx:xx,xxx ERROR [sshd-DrainableSshServer[14399425](port=7999)-nio2-thread-6] o.apache.sshd.server.kex.DHGEXServer chooseDH(DHGEXServer[diffie-hellman-group-exchange-sha256])[ServerSessionImpl[null@/xx.xx.xx.xx:59706]][prf=1024, min=1024, max=1024] No suitable primes found - failingSimultaneously, the following message may be displayed when the verbose SSH GIT client output is reviewed:
SSH_MSG_DISCONNECT:3 No suitable primes found for DH group exchange環境
Bitbucket 7.17 version or higher
原因
Bitbucket 7.17+ uses a newer version of Apache SSHD (2.7) compared to older Bitbucket versions. With this version of SSHD, the default minimum key size (more specifically the minimum modulo size of diffie-hellman-group-exchange-sha256) was increased from 1024 to 2048 bits (SSHD-1136). Consequently, Git SSH clients using SSH keys generated with less than the new default will encounter the abovementioned error.
回避策
The workaround would be to override the new default (set it back to 1024) as detailed below but we highly recommend encouraging Bitbucket users to get their clients fixed to use more secure key sizes.
Please consider as a temporary measure/workaround while affected users switch to a more secure key size.
Configuring JVM arguments and setting the minimum key size back to 1024 bits is done following these steps:
Note: This needs to be done on each cluster node of a Bitbucket DC instance
- Edit the <BITBUCKET_INSTALL>/bin/_start-webapp.sh file
Update the JVM_SUPPORT_RECOMMENDED_ARGS variable and add the JVM argument "-Dorg.apache.sshd.minDHGexKeySize=1024". Sample below:
# Occasionally Atlassian Support may recommend that you set some specific JVM arguments. You can use this # variable to do that. Simply uncomment the below line and add any required arguments. Note however, if this # environment variable has been set in the environment of the user running this script, uncommenting the below # will override that. # JVM_SUPPORT_RECOMMENDED_ARGS="<Any existing JVM arguments> -Dorg.apache.sshd.minDHGexKeySize=1024"- Restart Bitbucket to apply the changes.