Describe the bug Spring Cloud Config uses JGit in version 5.1.3. This version of JGit only accepts dsa/rsa ciphers (at least this is, what my code analysis points to at class JschConfigSessionFactory). However from Fedora 33 onwards rsa ciphers are disabled by default regardless of keysize.

As a result it is not possible to use spring cloud config with public key-security on a Vanilla-Fedora system starting from Version 33.

JGit 5.1.3 is used in all recent spring-cloud-config versions up to and including 3.0.3. Starting with jgit version 5.1.8 Jsch seems to be replaced by an alternative. Unfortunately, as CloudConfig directly accesses Jsch classes, I cannot test whether replacing jgit 5.1.3 with a current version would solve the issue - yet even if it doesn´t I think it would be wise to update an almost 3 year old library doing something related to security.

Comment From: spencergibb

we could potentially upgrade to https://search.maven.org/artifact/org.eclipse.jgit/org.eclipse.jgit/5.11.1.202105131744-r/jar in 2021.0.0 later this year

as far as jsch, looks like it's still available https://wiki.eclipse.org/JGit/New_and_Noteworthy/5.8#New_Bundles

everything at least compiles with the new version

Comment From: drachenpalme

Hi,

thanks to your hint (Jsch is still used but only via indirection) I was able to fake an update to JGit 5.11 (I explicitly overruled relevant dependencies). This does not solve my issue as the underlying JSch is still in version 0.1.54 (which is the same as is used in JGit 5.1.3 and therefore requires either rsa or dsa.

So, my issue remains, even with a current JGit it is not possible to access a git repository via pubkey from a Fedora33 system. I guess this can be seen as well in current CentOS (or will be seen there shortly). An update of JGit will not resolve this.

Comment From: drachenpalme

After some more digging, it becomes clear, that not jgit but jsch is the issue. Current Versions of JGit allow for the use of Apache MINA instead of JSch, which allows for a wider variety of keytypes. We have tried today to force JSch to use ecdsa keys. Interestingly enough there seems to be support built in, but it is somewhat sloppy/broken. For JSch to accept a ecdsa cipher you have to name the containing file id_rsa(.pub) for example. Even then, we could not achieve a successful connect and even with deep debugging, we got no pointer, what the issue really is. My understanding is, that, the way cloudconfig is currently implemented this is not a drop in replacement, was cloudconfig directly accesses JSch. On the other hand I found some info in the documentation which explicitly state, that cloudconfig does only work with dsa/rsa keys. So, probably tough luck on my side.

Comment From: spencergibb

See #1901 for mina support

Comment From: hpoettker

An alternative solution to supporting a different ssh library would be to switch to an actively maintained fork of jsch like mwiede/jsch. As the fork targets to be a drop in replacement, users may also try the workaround to just exchange the transitive dependency.

See also the discussion here: https://github.com/spring-projects/spring-integration/issues/3572