"No kex alg" during Git client operations after Bitbucket Server and Data Center upgrade

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問


プラットフォームについて: サーバーと Data Center のみ。この記事は、サーバーおよび Data Center プラットフォームのアトラシアン製品にのみ適用されます。

要約


Bitbucket 7.17.0 includes a newer version of Apache SSHD. The newer version of SSHD has different defaults with the SHA1 keys being removed. Any SSH client that only uses SHA1 keys will fail with a "no kex alg" error. This has been seen on RedHat 5 systems where only SHA1 is default.


環境

Bitbucket 7.17.0

診断

Client git command sees error.

$ git pull
no kex alg
fatal: The remote end hung up unexpectedly


To check which key algorithms are being used on each system the ssh -Q kex can be used.

kex alg on RHEL5
| kex_algorithms (3)
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1
kex alg on the Bitbucket server
| kex_algorithms (9)
| ecdh-sha2-nistp521
| ecdh-sha2-nistp384
| ecdh-sha2-nistp256
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group18-sha512
| diffie-hellman-group17-sha512
| diffie-hellman-group16-sha512
| diffie-hellman-group15-sha512
| diffie-hellman-group14-sha256

原因

Bitbucket 7.17.0 has its own SSHD based on Apache SSHD 2.7.0. Previous versions of Bitbucket were using Apache SSHD 2.4.0.

The SHA-1 key exchange was removed by default in Apache SSHD 2.6.0. This means that clients that only support SHA-1 keys will fail to negotiate an exchange algorithm.

ソリューション

To allow the older client and the SHA1 algorithms to be recognised you would need to explicitly allow SHA1 key exchange on the Bitbucket server.

Adding the SHA1 key to the /etc/ssh/sshd_config on the Bitbucket server will allow the SSHD to recognise the SHA1 keys. You will need to restart Bitbucket after the change for this to take effect.

KexAlgorithms +diffie-hellman-group1-sha1




最終更新日: 2022 年 2 月 16 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.