要約

Bitbucket 7.17.0 includes a newer version of Apache SSHD. The newer version of SSHD has different defaults with the SHA1 keys being removed. Any SSH client that only uses SHA1 keys will fail with a "no kex alg" error. This has been seen on RedHat 5 systems where only SHA1 is default.

環境

Bitbucket 7.17.0

診断

Client git command sees error.

$ git pull
no kex alg
fatal: The remote end hung up unexpectedly

To check which key algorithms are being used on each system the ssh -Q kex can be used.

| kex_algorithms (3)
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1

| kex_algorithms (9)
| ecdh-sha2-nistp521
| ecdh-sha2-nistp384
| ecdh-sha2-nistp256
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group18-sha512
| diffie-hellman-group17-sha512
| diffie-hellman-group16-sha512
| diffie-hellman-group15-sha512
| diffie-hellman-group14-sha256

原因

Bitbucket 7.17.0 has its own SSHD based on Apache SSHD 2.7.0. Previous versions of Bitbucket were using Apache SSHD 2.4.0.

The SHA-1 key exchange was removed by default in Apache SSHD 2.6.0. This means that clients that only support SHA-1 keys will fail to negotiate an exchange algorithm.

ソリューション

To allow the older client and the SHA1 algorithms to be recognised you would need to explicitly allow SHA1 key exchange on the Bitbucket server.

Adding the SHA1 key to the /etc/ssh/sshd_config on the Bitbucket server will allow the SSHD to recognise the SHA1 keys. You will need to restart Bitbucket after the change for this to take effect.

KexAlgorithms +diffie-hellman-group1-sha1