sshd_config unsupported options

[svengo]

I get the following log entries after launching the container via docker-compose up:

git-server_1  | /etc/ssh/sshd_config line 80: Unsupported option KerberosAuthentication
git-server_1  | /etc/ssh/sshd_config line 86: Unsupported option GSSAPIAuthentication

[einarpersson]

any update on this?

[jkarlosb]

So sorry for the delay, these warnings are due to openssh version changed from 7.3 to 7.4 and some crypto features have be deprecated for security reasons:

Future deprecation notice

We plan on retiring more legacy cryptography in future releases,
specifically:

• In approximately August 2017, removing remaining support for the
  SSH v.1 protocol (client-only and currently compile-time disabled).

• In the same release, removing support for Blowfish and RC4 ciphers
  and the RIPE-MD160 HMAC. (These are currently run-time disabled).

• Refusing all RSA keys smaller than 1024 bits (the current minimum
  is 768 bits)

• The next release of OpenSSH will remove support for running sshd(8)
  with privilege separation disabled.

• The next release of portable OpenSSH will remove support for
  OpenSSL version prior to 1.0.1.

This list reflects our current intentions, but please check the final
release notes for future releases.

Link: https://www.openssh.com/txt/release-7.4

Don't worry, this is no problem for us, because these options are not used in git-server-docker.

....
# Kerberos options
KerberosAuthentication no
....
# GSSAPI options
GSSAPIAuthentication no

Yet, I will fix it soon and I will inform by here.

Thanks for comments!!

[jkarlosb]

Ok, this issue was fixed, I commented above config lines.

For update your container, if you downloaded the image by docker-compose, only type:

docker-compose pull
docker-compose up -d

You can check everything is ok typing:

docker-compose logs -t

No warnings must appear now.

[jkarlosb]

When you try next "git pull" or similar interaction with server, maybe you will get next warning:

> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that a host key has just been changed.
> The fingerprint for the ECDSA key sent by the remote host is
> .....
> Please contact your system administrator.
> Add correct host key in ...../.ssh/known_hosts to get rid of this message.
> Offending ECDSA key in ...../.ssh/known_hosts:**XX**
> ECDSA host key for [**IP/DOMAIN**]:2222 has changed and you have requested strict checking.
> Host key verification failed.
> fatal: Could not read from remote repository.
> 
> Please make sure you have the correct access rights
> and the repository exists. 

This is due to recreating of the ssh-keys in container. To fix it, in your client, remove the line XX in ~/.ssh/known_hosts or type:
ssh-keygen -R <ip>:<port>

For next updates, I will try to generate the server keys in the keys volume and only if they not exist. Therefore, next image updates (pulls) won't must affect this keys and known_host issue will be fix it.