After a recent update, SSH with SourceTree broke on me.
On my private repos I only allow modern, secure SSH ciphers. This used to work fine, but now I get a "No matching cipher found" error anytime I try to fetch or push. It looks like the official Windows Git comes bundled with an old or crippled OpenSSH client that doesn't support modern ciphers.
For command line usage, I was able to work around this by setting the GIT_SSH variable to point to my Cygwin SSH client. But, SourceTree doesn't seem to respect this setting and still tries to use the bundled SSH client.
Any ideas on how I can work around this?
Someone on GitHub found a work around for this!
It turns out there is a hard-coded cipher list in Program Files\Git\etc\ssh\ssh_config. All you have to do is comment that line and everything works again.
I still don't know how it was working before the update, but at least it's working now. We can go ahead and close this.
Hi Mike, thanks for the helpful response. I tweaked the PATH variable so the Cygwin bin directory came before the Git directory, but unfortunately, even after a restart, I'm seeing the same behavior from SourceTree.
From Windows cmd, I can type in: `ssh firstname.lastname@example.org` and connect with no problem. So, the environment variables are correct.
You mentioned the SSH agent. I don't think this is an issue with the agent so much as the SSH binary itself. I'm not sure what ssh client SourceTree is trying to use, but it doesn't support modern ciphers like email@example.com or firstname.lastname@example.org
Hi Mike, I've tried it with both embedded and system Git, and I get the same results with both. I'm using OpenSSH not Putty.
I replaced the ssh-agent.exe in the Git install, and nothing changed. Then, I tried replacing the ssh.exe in the Git install and I got a new error about cygwin heap mismatch. So, I have at least confirmed that SoureTree is using the ssh binary included in the Git install and not the one that comes first in the PATH environment variable.
It would be nice if SourceTree respected the GIT_SSH environment variable because I could just point it to the binary I want to use without messing with my PATH. In my case, I actually need the Git bin to come before my cygwin bin for interoperability with other apps (namely npm which has some kind of vendetta against cygwin).
Ok, now I'm really confused. I starting gathering version information to do what you suggested, and I discovered that the bundled OpenSSH with Git is actually newer than my cygwin version and specifically lists support (via "ssh -Q cipher") for all of the ciphers my server is offering.
But, even though it says it supports those ciphers, I get the same error about no matching cipher found if I try to use it directly from the command line.
I tested it against some other SSH servers, and it seemed to negotiate a cipher without issue. Any ideas at this point? It's almost starting to sounds like an issue with my server although it was working perfectly before the update.
A vulnerability has been published today in regards to Sourcetree for Windows. The goal of this article is to give you a summary of information we have gathered from Atlassian Community as a st...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event