`clj` and `deps.edn` do not support newer ssh private key file formats and key types such as ed25519

Question

clj and tools.gitlibs use an old jsch via jgit library. jsch doesn't support all the private
keys formats and key types created by OpenSSH ssh-keygen. This can cause rather cryptic error messages
(see below of a stacktrace). JGit has added support for these in a recent version by switching jsch to another ssh implementation.

https://wiki.eclipse.org/JGit/New_and_Noteworthy/5.2

Currently tools.gitlibs uses org.eclipse.jgit:org.eclipse.jgit 4.10.0.201712302008-r
when current version for jgit is 5.5.1.201910021850-r.

There have been a bunch of issues related to jsch before https://clojure.atlassian.net/browse/TDEPS-91.

Seems that private keys starting with this line are not supported. And this is what openssh
ssh-keygen creates by default:

-----BEGIN OPENSSH PRIVATE KEY-----

For example this kind of errors happen when using unsupported ssh private key format:
`
Cloning: https://github.com/cognitect-labs/test-runner
Error building classpath. [email protected]:cognitect-labs/test-runner: invalid privatekey: [B@71d55b7e
org.eclipse.jgit.api.errors.TransportException: [email protected]:cognitect-labs/test-runner: invalid privatekey: [B@71d55b7e

at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:248)
at org.eclipse.jgit.api.CloneCommand.fetch(CloneCommand.java:306)
at org.eclipse.jgit.api.CloneCommand.call(CloneCommand.java:200)
at org.eclipse.jgit.api.CloneCommand.call(CloneCommand.java:89)
at clojure.tools.gitlibs.impl$call_with_auth.invokeStatic(impl.clj:50)
at clojure.tools.gitlibs.impl$call_with_auth.invoke(impl.clj:41)
at clojure.tools.gitlibs.impl$git_clone_bare.invokeStatic(impl.clj:71)
at clojure.tools.gitlibs.impl$git_clone_bare.invoke(impl.clj:68)
at clojure.tools.gitlibs.impl$ensure_git_dir.invokeStatic(impl.clj:110)
at clojure.tools.gitlibs.impl$ensure_git_dir.invoke(impl.clj:100)
at clojure.tools.gitlibs$resolve.invokeStatic(gitlibs.clj:33)
at clojure.tools.gitlibs$resolve.invoke(gitlibs.clj:29)
at clojure.tools.gitlibs$procure.invokeStatic(gitlibs.clj:47)
at clojure.tools.gitlibs$procure.invoke(gitlibs.clj:41)
at clojure.tools.deps.alpha.extensions.git$eval966$fn__968.invoke(git.clj:41)
at clojure.lang.MultiFn.invoke(MultiFn.java:239)
at clojure.tools.deps.alpha$expand_deps.invokeStatic(alpha.clj:181)
at clojure.tools.deps.alpha$expand_deps.invoke(alpha.clj:164)
at clojure.tools.deps.alpha$resolve_deps.invokeStatic(alpha.clj:231)
at clojure.tools.deps.alpha$resolve_deps.invoke(alpha.clj:213)
at clojure.tools.deps.alpha.script.make_classpath$create_classpath.invokeStatic(make_classpath.clj:61)
at clojure.tools.deps.alpha.script.make_classpath$create_classpath.invoke(make_classpath.clj:53)
at clojure.tools.deps.alpha.script.make_classpath$run.invokeStatic(make_classpath.clj:79)
at clojure.tools.deps.alpha.script.make_classpath$run.invoke(make_classpath.clj:72)
at clojure.tools.deps.alpha.script.make_classpath$_main.invokeStatic(make_classpath.clj:118)
at clojure.tools.deps.alpha.script.make_classpath$_main.doInvoke(make_classpath.clj:93)
at clojure.lang.RestFn.applyTo(RestFn.java:137)
at clojure.lang.Var.applyTo(Var.java:705)
at clojure.core$apply.invokeStatic(core.clj:665)
at clojure.main$main_opt.invokeStatic(main.clj:514)
at clojure.main$main_opt.invoke(main.clj:510)
at clojure.main$main.invokeStatic(main.clj:664)
at clojure.main$main.doInvoke(main.clj:616)
at clojure.lang.RestFn.applyTo(RestFn.java:137)
at clojure.lang.Var.applyTo(Var.java:705)
at clojure.main.main(main.java:40)

Caused by: org.eclipse.jgit.errors.TransportException: [email protected]:cognitect-labs/test-runner: invalid privatekey: [B@71d55b7e

at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:172)
at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:140)
at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:280)
at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:170)
at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:137)
at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:123)
at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1269)
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:237)
... 35 more

Caused by: com.jcraft.jsch.JSchException: invalid privatekey: [B@71d55b7e

at com.jcraft.jsch.KeyPair.load(KeyPair.java:948)
at com.jcraft.jsch.KeyPair.load(KeyPair.java:561)
at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:40)
at com.jcraft.jsch.JSch.addIdentity(JSch.java:407)
at com.jcraft.jsch.JSch.addIdentity(JSch.java:367)
at org.eclipse.jgit.transport.JschConfigSessionFactory.getJSch(JschConfigSessionFactory.java:320)
at org.eclipse.jgit.transport.JschConfigSessionFactory.createSession(JschConfigSessionFactory.java:257)
at org.eclipse.jgit.transport.JschConfigSessionFactory.createSession(JschConfigSessionFactory.java:188)
at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:119)
... 42 more

`

Answer 1

Thanks, these are known issues and agree we should work on them. The two main paths to consider are a) upgrading all the jgit / jsch (or newer alternatives) and b) shelling out to git. There are tradeoffs with both and it's possible that making both available as options would be useful but this needs some focus time.

Comments

tools.deps does support these today but via an ssh-agent, not by listing IdentityFile in the .ssh/config

Answer 2

In case anyone else has run into this issue, an interim solution might be to create or revert back to an older key format as mentioned here.

When generating ssh key for Github, you could run something like below unlike the examples on the Github docs.
ssh-keygen -m PEM -t rsa -b 4096 -C "[email protected]"

I'm sure there's a good reason why they have moved to a newer format so please note that this is merely a temporal workaround.