GNU bug report logs - #77154
[PATCH 0/1] Update libssh2 and change crypto backend

Previous Next

Package: guix-patches;

Reported by: Christoph Buck <dev <at> icepic.de>

Date: Fri, 21 Mar 2025 15:29:02 UTC

Severity: normal

Tags: moreinfo, patch

Full log

Message #34 received at 77154 <at> debbugs.gnu.org (full text, mbox):

From: "Matthew Todd" <matthew <at> zerobitcoder.net>
To: 77154 <at> debbugs.gnu.org
Cc: Christoph Buck <dev <at> icepic.de>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Subject: RE: Guix issue 77154
Date: Sun, 27 Apr 2025 00:41:21 -0700

Hi Maxim,

> I believe this series may be obsolete; libgcrypt 1.11 (already packaged in Guix) appears to come with ed25519 support.
> ...
> Is the original issue resolved?
> ...
> Could you please report the exact issue you are having when using libgcrypt?

I don't think so.

I reran my tests: Guix on Debian foreign distro with channels.scm using git over SSH with SSH keys to Debian git server.

1. Full patch series: guix pull with libssh2 @ 1.11.1 compiled against libopenssl (3.0.8, latest one in guix): works.
2. First patch from patch series: guix pull with libssh2 @ 1.11.1 compiled against libgcrypt (1.11, latest one in guix): fails.
3. Guix baseline: guix pull with libssh2 @ 1.10.0 (latest one in guix) compiled against libgcrypt (1.11, latest one in guix): fails.

The client-side failure:
"guix pull: error: Git error: failed to start SSH session: Unable to exchange encryption keys"

And corresponding error message on the server:
"Apr 26 19:39:36 <hostname-redacted> sshd[1661214]: Unable to negotiate with <ip-and-port-redacted>: no matching host key type found. Their offer: ssh-rsa [preauth]"


I took another look at the libssh2 source code (https://github.com/libssh2/libssh2/blob/master/src/libgcrypt.h#L67), and the current master branch code (606c102, last commit 2 months ago) still disables support for ED25519 in libcrypt.h:
"#define LIBSSH2_ED25519 0"



Note: the libssh2 Github issue linked upthread mentions that the SSH key needs to be in a PEM format. Mine was not for the tests above (or any previous emails.) I looked into it more closely for this email, but could not figure out how to convert or make an ed25519 SSH key in PEM format using ssh-keygen.

Cheers,
Matthew Todd
matthew <at> zerobitcoder.net
This bug report was last modified 50 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.