Eclipse, EGit, github, jsch and AES-128 encrypted private keys

Here’s a tip if you are having trouble connecting to GitHub using Eclipse/Egit with a recently generated SSH key pair…

The Issue

I had created a new SSH key pair to access a client project codebase in a private GitHub repository and was having trouble connecting via Eclipse (Helios) & EGit.

My new keypair was generated with OpenSSH v5.6, and since OpenSSh v5.4 AES-128 is now the default cipher (replacing 3DES). As seen in the header of my new private key:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,XXXXXXXXX

The internal SSH library used by Eclipse and EGit is JSch. My fully updated Eclipse Helios is using JSch v0.1.41, but unfortunately support for AES-128-CBC ciphered private keys wasn’t added until JSch v0.1.44.

Options

You could wait for Eclipse to update it (though v0.1.44 came out last Nov). or track down an updated build of com.jcraft.jsch.jar from Eclipse Orbit and manually drop it in your Eclipse plugins folder (oh bother). or re-encrypt your private key with 3DES (don’t).

Work Around

The work around I used takes advantage of a recent feature added to EGit:

If the environment variable GIT_SSH is set, use GIT_SSH for any remote protocol connections, instead of the local JSch library.

Perfect! I just set my GIT_SSH environment variable to my local OpenSSH and now EGit uses that and is able to handle my AES-128 ciphered private key properly and successfully connect to GitHub.

I love you Eclipse, but you sure are high maintenance.

And a big thanks to the folks posting to these pages for pointing me in the right direction:
http://stackoverflow.com/questions/3303122/ssh-connection-java
http://bugs.eclipse.org/bugs/show_bug.cgi?id=326526

Published by

protodave

Maker, breaker and fixer of things.

One thought on “Eclipse, EGit, github, jsch and AES-128 encrypted private keys”

  1. Thank you very much!I am looking to do the exact same thing that you decsirbe in this article. It took me a while to find this. It should have been the first hit on Google!If you don’t mind, what suggestions do you have for reading in usernames and passwords? I have been fighting with Ant to find a decent way to do this. I can use the input task obviously but the password is displayed in cleartext. I can’t seem to find a way to suppress that. In fact, it’s how I stumbled upon your article. Again, many thanks for the great article.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *