Problem
Terraform Enterprise fails to clone repository from Azure DevOps Server with error:
Failed to ingress slug: Failed to clone: Failed to reach repo: Failed on ls-remote: exit status 128
Output: Unable to negotiate with xx.xx.xx.xx port 22: no matching host key type found. Their offer: ssh-rsa
Prerequisites
- Terraform Enterprise v202309-1
- Azure DevOps Server 2020 & 2019
Cause
- Terraform Enterprise v202309-1 FDO/Consolidated Services docker image is based on
Ubuntu 22.04.3 LTSand includesopenssh-client 1:8.9p1-3ubuntu0.3which does not supports "ssh-rsa" for SHA-1(deprecated since OpenSSH 8.2) in favor of RSA SHA-2 signature algorithmsrsa-sha2-256/512. Azure DevOps Server 2020 and 2019 prior to Update 1.2 Patch 7 and Update 1.2 Patch 4 respectively, lack support for these algorithms.
Solutions:
-
Solution 1: Patch the Azure DevOps Server 2020 or 2019(This is the preferred method).
-
Solution 2: Workaround for Terraform Enterprise with Replicated.
# SSH into the TFE host and disable Consolidated Services
replicatedctl app-config set consolidated_services_enabled --value 0
# Restart the TFE app to apply the changes
replicatedctl app apply-config -
Solution 3: Workaround for Terraform Enterprise FDO Docker
# Create this file in the TFE host(s) and change the permission settings
echo 'PubKeyAcceptedAlgorithms=+ssh-rsa' | sudo tee /etc/ssh/tfe_allow_rsa
chmod 644 /etc/ssh/tfe_allow_rsa
# Edit your compose.yaml file and add a volume type bind. Save and redeploy your container with docker compose
volumes:
...
- type: bind
source: /etc/ssh/tfe_allow_rsa
target: /etc/ssh/ssh_config.d/tfe_allow_rsa
Outcome
Terraform Enterprise can now clone repositories from Azure DevOps Server