Authentication issues through JSch


There are many issues with using JGit+JSch currently:

https with authentication is not supported yet which is a very common transport used by private repos. Git (the mainline binary) uses a "credential helper" as an authentication oracle.
ssh authentication via JSch has low usability, some modern KEX methods unsupported
Esoteric .ssh/config options can break cloning because the underlying java ssh library (JSch) misreads the .ssh/config file
ed25519 identity keys supported via ssh-agent, but not via ~/.ssh/config entries. JSch gets confused when there is an agent & ssh/config
The terminal is not interactive in clojure, so you cannot accept unseen public host keys - this is probably ok, but the user might not know what to do when it fails.

Porting gitlibs to shell out to git would help all of these issues, if remains compatible with Windows support. (This is what python and Go do, shell out.) It would also alleviate many transient issues that users report that do not have associated tickets.

Proposed Patch (API Compatible with tools.gitlibs)




Mike Fikes
January 2, 2019, 1:07 AM

Another reason to ditch JGit+JSch, if not yet already captured: JSch can't read the new OpenSSH key formats, which are now written by default on macOS.

Here is an example:

This creates a key with a header:

If instead you do

you will get a key with the usual header (and key format):

To illustrate that the latest JSch cannot read this new key type, note the invalid privatekey error when attempting to read "/tmp/foo":

Ryan McCuaig
June 25, 2019, 4:03 AM

There may be a related issue with macOS 10.15 as well. I'm running 10.15 beta 2, and tools.deps can't access my private `:git/url` libs.

I have an `id_rsa` generated under macOS 10.12 that can successfully pull private git deps under macOS 10.14 / of the clojure cli.

When I use that one with macOS 10.15b2, any `clojure` or `clj` command will die with an error building the classpath:

`org.eclipse.jgit.api.errors.TransportException: USERAUTH fail`

If I use an `id_rsa` generated under 10.15, the error is:

`org.eclipse.jgit.api.errors.TransportException: invalid privatekey: [B@3d3a1903`

I'm guessing this is going to start biting more of us Mac types come September and 10.15 release. My workaround is to just manually arrange `~/.gitlibs` to match my old 10.14 machine and pull / package in there with a bash script.

Ryan McCuaig
June 25, 2019, 4:05 AM

Oh, also the keys have passphrases, so I'm using an ssh-agent. `ssh-add -l` looks good and `SSH_AUTH_SOCK` is getting set in env.

Alex Miller
August 6, 2019, 1:51 PM

One thing I've seen is that (on Mac) I needed to modify the ~/.ssh/config file to remove the IdentityFile setting so it would just use the agent. So my config looks like:

Matthew Huebert
March 27, 2020, 1:22 PM

After setting up a brand new mac, I ran into this issue as well (invalid privatekey). I tried 's tip to remove IdentityFile from ~/.ssh/config, and that worked - I can resolve git deps again.



Alex Miller


Ghadi Shayban