Why do I receive an "Auth fail" error when interacting with a Git remote over SSH in MATLAB or why does MATLAB keep asking for the password of git@myhost?

474 views (last 30 days)
When trying to clone my Git remote in MATLAB over SSH or when trying to interact with (push, pull, etc.) an already successfully cloned (using an external client) repository from within MATLAB, I get one of the following symptoms: 
  • MATLAB keeps on showing the dialog: "The authenticity of host 'myhost' can't be established" message, even if I have specified before that this identity is correct and this preference should have been saved. After this message I receive an error dialog saying "Auth fail". 
  • Instead of displaying this error, MATLAB may ask for the password of git@myhost every time I interact with the Git remote server. 
  • MATLAB shows the following dialog "Unable to pull changes: git @github.com myRepo invalid private key" when I try to add version control to a folder within MATLAB.

Accepted Answer

MathWorks Support Team
MathWorks Support Team on 22 Jul 2022
Edited: MathWorks Support Team on 15 Sep 2022
The "Auth fail" message is shown when all authentication mechanisms supported by the server failed; the password dialog will be shown if public-key authentication failed but additional authentication methods are available on the server. One possible reason for this public-key authentication failure is MATLAB finding ~/.ssh/id_rsa or ~/.ssh/id_dsa or ~/.ssh/identity file(s) and attempting to authenticate over SSH with them, but none of these files contained a key which MATLAB was able to work with. Another possible reason is that MATLAB cannot find your ~/.ssh/id_rsa files(s) at all.
MATLAB's Git client requires your private key to be in the (older) RSA format and it cannot work with the (newer) OPENSSH format. Please open your private key file in a text editor; to be compatible with MATLAB it should start with:
-----BEGIN RSA PRIVATE KEY-----
And not with:
-----BEGIN OPENSSH PRIVATE KEY-----
Why might you have different keys in different formats?
This is a combination of factors:
  • Older ssh-keygen versions always created keys in the RSA format, so then it would always have worked fine with MATLAB.
  • At one point, an "-o" option was added to ssh-keygen, when indeed called with this "-o" option, it would now produce keys in the OPENSSH format. At the time, online instructions (on websites like git-scm.com, github.com, gitlab.com, etc.) about using ssh-keygen varied by website, some did instruct you to explicitly add "-o", some did not. If you did call ssh-keygen with "-o" you would have gotten a key incompatible with MATLAB, if you did not, the key was compatible with MATLAB.
  • In current ssh-keygen versions, the OPENSSH format is in fact the default, you no longer have to explicitly add "-o" to get a key in that format. Nowadays you explicitly have to add "-m PEM" to get a key in the RSA format. Most online instructions now instruct you to use ssh-keygen without the "-o" option (since it has no effect anymore anyway) but also without the "-m PEM" option. So nowadays when following most of the online instructions you would get a key that is incompatible with MATLAB.
What is our advice right now?
When creating new keys, you can basically follow online instructions for your preferred platform on how to use ssh-keygen, for example with regards to which key size to use; however:
  • If these instructions include adding "-o" to the command line then actually omit this option.
  • If these instructions do not include "-m PEM" then please do add this option.
So you would for example get:
ssh-keygen -t rsa -b 4096 -m PEM
Further, it should be possible to convert from OPENSSH to RSA format if you had already created your key in the OPENSSH format:
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa
Where you may need to replace ~/.ssh/id_rsa with your specific private key file.
If you are still experiencing this issue, make sure that your "HOME" environment variable is set as the parent folder of your .ssh folder. So if your .ssh folder is located in
C:/Users/UserABC/.ssh
set the HOME variable to:
C:/Users/UserABC/
This can be done system wide on Windows as follows:
  • right click on "This PC" in file explorer
  • select properties
  • then select "advances system settings"
  • This brings up a dialog that allows environment variables to be set globally
Alternatively, MATLAB can be launched from a terminal where the HOME environment variable has already been set. 
To confirm the value of your "HOME" environment variable, run the MATLAB command:
>> getenv('HOME')
For 'getenv' to show the path added, I had to add 'HOME' to 'System variables' in the 'Environment Variables' dialog rather than 'User variables for <user>'.
If you are still experiencing this issue after verifying your "HOME" environment variable, try updating to the most recent release of MATLAB. 
More information about setting up Git over SSH is available here:
  7 Comments
François LINANT
François LINANT on 5 Jul 2021
Thanks, this help me a lot.
One more thing : you have to generate the SSHkey without matlab running, or to restart matlab after the SSH key generation.

Sign in to comment.

More Answers (4)

Shawn Xiao
Shawn Xiao on 31 Aug 2020
It helps the first manner, use the ssh-keygen -t rsa -b 4096 -m PEM to generate the new SSHkeys.

Chris Armstrong
Chris Armstrong on 7 Jan 2022
If you don't have access to the command line or a terminal client, you can run these commands within MATLAB by adding an ! to the beginning. I.e:
!ssh-keygen -t rsa -b 4096 -m PEM

Joseph Becker
Joseph Becker on 11 Jan 2022
Unfortunately GIT has just turned off support for RSA at least the older version of RSA using SHA-1; this "feature" started 11 JAN 2022. https://github.blog/2021-09-01-improving-git-protocol-security-github/
I'm do not have enough knowledge of a SSH or GIT to see any fix except Matlab needs to get with the program and stop using RSA (appearantly broken completed these days hence totally insecure) and use something more modern, presumably OPENSSH.
In the mean time I can't use GIT and hence Projects in Matlab which is sort of a crisis isn't it???
  7 Comments
Joseph Becker
Joseph Becker on 28 Jun 2022
Using RSA; it all works. But I don't know that I solved it; I can tell you that once I got it to work it's great. Here are some facts...
I could never get it to work with anything but RSA; so forget using ecdsa, etc.
I believe you need to one way or the other get github and it's RSA into you known hosts file. This link seems like it might be a super good clue, but I didn't do things they describe...
https://www.mathworks.com/matlabcentral/answers/821320-when-connecting-to-a-git-server-from-matlab-i-keep-getting-the-message-the-authenticity-of-host
I have in ~/.ssh the following. Not sure what is needed. Note "my" key is just an old RSA key, but the git one is OPENSSH. It has been so long, I'm not sure the sequence of making these, but it was generally the above...
My own keys
==> id_rsa <==
-----BEGIN RSA PRIVATE KEY-----
==> id_rsa.pub <==
and for github
==> github_rsa <==
-----BEGIN OPENSSH PRIVATE KEY-----
==> github_rsa.pub <==
and in my known hosts there several github entries. Some are just ip addresses, e.g. 192.30.255.113, and some are domains like github.com They look like this
192.30.255.113 ssh-rsa <my key in id_rsa.pub>
github.com ssh-rsa <my key in id_rsa.pub>
So those known_host entries are huge, they have the whole RSA key.
I'm guessing that Matlab has added some part of all these and that is the secret to getting this all to work.
I vaguely remember something about known_hosts is how Matlab keeps track of git username and passwords. Seriously: good luck; it'll be great if you can get it to work!

Sign in to comment.


Joseph Becker
Joseph Becker on 12 Jan 2022
It appears that using the HTTPS access to GIT no longer constantly requires login and password. Maybe. Matlab asked for the GitHub.com password 3 days ago and after several restarts of matlab and fetching and pushing it hasn't asked again. Maybe something was improved in 201b that elminates all the logins
  2 Comments
Karl_469
Karl_469 on 2 Sep 2022
Edited: Karl_469 on 2 Sep 2022
There is some backwards compatibility for your specific case of having an "old" project. (-you already had a working RSA SSH key for a given GIT repository-)
according to GIT Docs:
RSA is not supported because GITHub requires a SHA-2 signature since somewhere around late 2021. From what I understand, RSA are not SHA-2!
Yet, according to GIT Docs, RSA keys produced before November 2, 2021 are valid no matter the signature.
"RSA keys (ssh-rsa) with a valid_after before November 2, 2021 may continue to use any signature algorithm. RSA keys generated after that date must use a SHA-2 signature algorithm."
(https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and- adding-it-to-the-ssh-agent)
There is no solution posted here for someone trying to get a "new" project started using RSA

Sign in to comment.

Categories

Find more on Source Control Integration in Help Center and File Exchange

Products


Release

R2019a

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!