Support recent SSH security settings

23 votes

I would like to be able to use the regular fetch/pull/push commands (i.e. all remote interaction commands) from within GK when the remotes are located on a (self-hosted) Gitlab server where SSH was hardened to state-of-the-art security standards. Excerpt from the sshd_config of the server in question:

...
HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
Ciphers chacha20-poly1305@openssh.com
...

Weakening those settings is not an option.

Current Workaround: open a terminal (via ALT-T), then use the native git/ssh installation to perform fetch/push/pull.

Possible solutions
1) start using versions of libgit(2) / libssh(2) that support the above ciphers/hostkeys/algos (not sure if those already exist)
2) [preferred] add an "advanced option" to utilise a system-installed ssh/git client in place of the bundled libs for some or maybe all commands.

Under consideration Suggested by: Jonas Kaiser (16 Jun, '21) • Upvoted: 26 Jan • Comments: 5

Comments: 5

16 Jun, '21
freank
Absolute valid request.

It is quite puzzling to me why GK would actually entangle in a "home-brewed" own ssh implementation
rather than let the user (tech savvy coders! ;-) ) decide which ssh backend they want to use.

Please make this happen, focus on awesome branch features and leave ssh to the code-crunchers!
28 Jul, '21
Daniel Demus
This would also fix the certificate choice problem, when you use special hostnames for your repos to get ssh to select different user certificates for different repos as I requested in https://feedback.gitkraken.com/suggestions/191565/support-sshconfig-file
08 Nov, '21
Thomas Michiels
isn't there an option for using local SSH agent already?
it doesn't use this for integrations as far as i've noticed, but for the standard git pull/push it did seem to work for me using Pageant instead of specified ssh keys.
not sure if it is only the key manager or also the plink.exe part ofcourse.
https://prnt.sc/1yrqs2n
18 Nov, '21
Jonas Kaiser
local ssh agent wont really help here, afaik, since the agent only maintains a set of unlocked ssh keys, to avoid reentering your ssh key passphrase.

in particular, the agent is not a service interface to the system ssh installation and the bundled lib in GK is still processing the overall handshake (which will fail for the initially mentioned library insuffciencies)
13 Jan, '22
Niels Matthijs
https://support.beanstalkapp.com/article/1266-how-to-fix-fatal-error-couldnt-agree-a-host-key-algorithm

Beanstalk dropped support for SHA1 ... now all my projects are broken in GitKraken, which is a pretty big bummer. Reverting them to work over https:// is a pretty crappy solution, but at least it works for now. Please fix this guys, otherwise GitKraken becomes pointless for me.