Skip to content

Upgrade SSH transport to MINA SSHD 2.14 and fix RSA-SHA2 SSH auth#1487

Open
dkhokhlov wants to merge 2 commits into
gitblit-org:masterfrom
dkhokhlov:MINA_SSHD_2_14
Open

Upgrade SSH transport to MINA SSHD 2.14 and fix RSA-SHA2 SSH auth#1487
dkhokhlov wants to merge 2 commits into
gitblit-org:masterfrom
dkhokhlov:MINA_SSHD_2_14

Conversation

@dkhokhlov
Copy link
Copy Markdown

@dkhokhlov dkhokhlov commented Jun 6, 2026
edited
Loading

Summary

This updates Gitblit's SSH transport from Apache MINA SSHD 1.7.0 to 2.14.0 and fixes interoperability with modern OpenSSH clients using RSA-SHA2 signatures.

The immediate user-visible failure was SSH public key authentication with RSA keys from current OpenSSH clients. In practice this showed up as negotiation/authentication failures against
Gitblit's SSH endpoint. After upgrading the SSH stack, a few SSH test and command-path issues also needed to be corrected to make the upgraded transport behave reliably.

What changed

  • upgrade the SSH transport to Apache MINA SSHD 2.14.0
  • restore Ed25519 / EdDSA host key and key parsing support in the upgraded path
  • add explicit RSA-SHA2 coverage in SSH integration tests
  • fix the embedded SSH test harness so it reliably starts and restarts the in-JVM Gitblit server
  • fix SSH command alias resolution in DispatchCommand
  • update the SSH client-side test helper to use a stricter channel lifecycle compatible with the newer SSHD behavior

Why this is needed

Gitblit 1.10.0 is still pinned to an old MINA SSHD release. That older stack does not interoperate correctly with modern OpenSSH RSA public key authentication in practice.

Upgrading the dependency alone was not enough. The newer SSH stack exposed two additional issues:

  • the SSH test harness reused stale server state and could skip restarting the embedded server between test classes
  • DispatchCommand resolved aliases before the alias map was populated, which broke commands such as keys ls and keys rm on a fresh dispatcher instance

This patch fixes both the transport problem and the issues exposed by the upgraded SSH stack.

Validation

I validated the SSH path with focused integration coverage.

Relevant passing tests:

  • com.gitblit.tests.SshDaemonTest
  • com.gitblit.tests.SshKeysDispatcherTest
  • com.gitblit.transport.ssh.FileKeyPairProviderTest

The RSA-SHA2-specific coverage added here lives in:

  • SshDaemonTest

It verifies authentication with:

  • rsa-sha2-256
  • rsa-sha2-512

and asserts there is no fallback to legacy ssh-rsa.

Notes

This PR is intentionally scoped to the SSH transport and the test/runtime issues directly exposed by that upgrade. It does not try to clean up unrelated test failures elsewhere in the suite.

Fixes #1488

dkhokhlov added 2 commits June 5, 2026 19:02
@dkhokhlov
Upgrade SSH transport to MINA SSHD 2.14
ca33907 
Add server-sig-algs support so modern OpenSSH clients can

negotiate RSA-SHA2 signatures successfully, and adapt the

Gitblit SSH command/session integrations to the SSHD 2.x APIs.

Also fix publickey auth session handling so the two-step

PK_OK flow used by newer SSHD/OpenSSH combinations does not

reject the signed follow-up request after the key has already

been accepted.
@dkhokhlov
Fix SSH RSA-SHA2 test harness and auth flow
67878b2 
Upgrade the SSH stack to modern MINA SSHD, restore Ed25519/EdDSA key handling, and fix the test harness so SSH integration tests reliably start and reuse the embedded server.

Also repair SSH command alias resolution and channel lifecycle handling exposed by the newer client/server behavior.
@dkhokhlov dkhokhlov marked this pull request as ready for review June 6, 2026 05:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Gitblit SSH fails with modern OpenSSH RSA-SHA2 public key authentication

1 participant

@dkhokhlov