guix pull from private ssh server fails

[Christoph Buck]

Hi Guix!

I hope you have a good day!
The other day i ran into a problem as i was pulling a guix channel from
my private ssh server secured by pubkey authentication.

The channel file looks like this:

 > (channel
 >   (name 'grimbard)
 >   (url "ssh://t...@xx.xxxx.xx:2222/srv/ssh/guix/grimbard.git")))

Pulling this channel via `guix pull -C channel-file.scm` results in the
following error on client side:

> $ guix pull -C ~/channels.scm
> Updating channel 'grimbard' from Git repository at 
> 'ssh://t...@xx.xxxx.xx:2222/srv/ssh/guix/grimbard.git'...
> guix pull: error: Git error: failed to start SSH session: Unable to exchange 
> encryption keys

And the following error on server side:

> Unable to negotiate with x.x.x.x port 34589: no matching host key type found. 
> Their offer: ssh-rsa [preauth]

Googling around i found the excellent post from Matthew on the help-guix
mailing list [1] which lead me to a possible solution for the problem.

As Matthew already described in his post this error is most likely due
to the fact that libssh2 is compiled with crypto backend libgcrypt which
causes it to disable certain hostkeys and leaves only the
deprecated "ssh-rsa" option available for libgit2. Unfortunately
enabling "ssh-rsa" keys explicitly on server side via
`PubkeyAcceptedKeyTypes` as a workaround does not work.

To fix this problem i bumped the libssh2 version number from 1.10.0 to
1.11.1 and changed the crypto backend (as suggested by Matthew) to
openssl (see the attached patch).

Building in a fresh container environment:

> ./pre-inst-env guix describe
> Git checkout:
>   repository: /home/icepic/guix/src/guix/
>   branch: master
>   commit: 98f29906912d03d499c48b0bd0a1aa384ea23fb2
> ./bootstrap && ./configure --localstatedir=/var
> make clean-go
> make
> ./pre-inst-env guix build guix
> [...]
> successfully built 
> /gnu/store/x2m0q1f17vg63z93khv8icncshg7s7hq-guix-1.4.0-34.5058b40.drv
> /gnu/store/pn67qhlg0qqs945p5m1ssqacx35g5hj5-guix-1.4.0-34.5058b40

and then installing the guix command in a temporary profile does indeed
fix the problem:

> guix package --profile=/tmp/libssh2 --install 
> /gnu/store/pn67qhlg0qqs945p5m1ssqacx35g5hj5-guix-1.4.0-34.5058b40
> /tmp/libssh2/bin/guix pull -C ~/channels.scm
> Updating channel 'grimbard' from Git repository at xxxx

Server side:
>Accepted publickey for test from x.x.x.x port 50052 ssh2: RSA 
>SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Is this a viable patch? Obviously this causes a additional dependency
for guix but as far as i can tell from stracing, guix was dependend on
openssl anyway.

A small problem which Matthew already mentioned is, that the tests for
libssh2-1.11.1 are currently failing (therefore the appended patch
disable the tests for now). From what i saw this is due to the fact the
tests pull in docker in order to simulate an ssh connection. If we want
to go forward with this solution i would look into it and create a merge
request on debuggs.

Looking forward for feedback!

Best regards

Christoph 

[1] 
https://yhetil.org/guix-user/0b9479a3-abd7-4ccf-a8e7-214b34d83...@app.fastmail.com/

PS: @Matthew: I added you to the cc of this mail to keep you in the
loop. Unfortunately i was to stupid to reply on your original mail,
therefore i created a new thread!

-- 
Best regards

Christoph Buck <d...@icepic.de>

GnuPG key: https://web.icepic.de/public_key.txt
FingerPrint: B43F 4D2B 2017 E715 36C0  03C6 B8BB BCDE CD00 3305


>From 6e0ae2fb5c184b02c054ea0822abeb87f85b0864 Mon Sep 17 00:00:00 2001
Message-ID: <6e0ae2fb5c184b02c054ea0822abeb87f85b0864.1741969386.git....@icepic.de>
From: Christoph Buck <d...@icepic.de>
Date: Fri, 14 Mar 2025 17:21:20 +0100
Subject: [PATCH] Update libssh2 to version 1.11.1 and change crypto backend

Change-Id: I1571c4d4a9a78af8009d4e5c2ed26d22aa7be77f
---
 gnu/packages/ssh.scm | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index fecb3a2559..ec3bec561c 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -181,7 +181,7 @@ (define-public libssh
 (define-public libssh2
   (package
    (name "libssh2")
-   (version "1.10.0")
+   (version "1.11.1")
    (source (origin
             (method url-fetch)
             (uri (string-append
@@ -189,14 +189,15 @@ (define-public libssh2
                    version ".tar.gz"))
             (sha256
              (base32
-              "0l8xwhhscvss7q007vpbkbv7jh9s43579rx2sf8lnfgd7l7yjr1d"))))
+              "1xsqysmrq40gdfjndd1yrcvwic16kn4jrzir6pn8xfadwg5pdv6r"))))
    (build-system gnu-build-system)
    ;; The installed libssh2.pc file does not include paths to libgcrypt and
    ;; zlib libraries, so we need to propagate the inputs.
-   (propagated-inputs (list libgcrypt zlib))
+   (propagated-inputs (list openssl zlib))
    (arguments
-    (list #:configure-flags #~'("--with-libgcrypt"
-                                "--disable-static")))
+    (list #:configure-flags #~'("--with-crypto=openssl"
+                                "--disable-static")
+          #:tests? #f))
    (synopsis "Client-side C library implementing the SSH2 protocol")
    (description
     "libssh2 is a library intended to allow software developers access to

base-commit: 98f29906912d03d499c48b0bd0a1aa384ea23fb2
-- 
2.45.1