Page MenuHomePhabricator

OpenSSH 9 scp does not work with Gerrit due to lack of sftp subsystem
Closed, ResolvedPublicBUG REPORT


Steps to replicate the issue (include links if applicable):

What happens?:
Cloning works, but SCP part of command fails with:

debug1: Sending subsystem: sftp
subsystem request failed on channel 0

What should have happened instead?:
Command should be executed without any error.

Software version (skip for WMF-hosted wikis like Wikipedia):

  • Gerrit 3.5.4
  • macOS version: Ventura 13.2.1
  • Version of OpenSSH: OpenSSH_9.0p1
  • Version of LibreSSL library: LibreSSL 3.3.6

Other informations:
@hashar mentions that there is Upstream task about this:

Upstream references:
Issue 15944: scp command for retrieving commit-sh hook fails with OpenSSH 9.0
Issue 16705: Always use HTTP to download commit-msg hook

And the patch


  • Use the legacy scp protocol using scp -O
  • Fetch the hook over https

Event Timeline

Kizule updated the task description. (Show Details)
Kizule updated Other Assignee, added: hashar.
Kizule removed a project: User-Kizule.
Kizule updated Other Assignee, removed: hashar.

This is due to OpenSSH 9 making scp to use sftp which is not supported by Gerrit. The workaround is to fetch the commit hook over https.

hashar renamed this task from Cloning commit message hooks from Gerrit via SSH/SCP isn't working on MacOS to OpenSSH 9 scp does not work with Gerrit due to lack of sftp subsystem.Mar 2 2023, 12:48 PM
hashar updated the task description. (Show Details) got merged. The plugin is bundled in Gerrit, so I guess that will be included in the next versions of Gerrit 3.5, 3.6 and 3.7.

Looking at upstream repo and the stable-3.5 branch, the download-commands plugin has been made to always track master and got updated so it does not lag behind. The commit is

commit 34b4352f73417572ce4b6d02bccfe54bbe98ee64
Author: Sven Selberg <>
Date:   Thu Mar 2 18:20:06 2023 +0100

    Always track master on download-commands plugin
    The download-commands plugin only uses APIs that were extracted
    specifically for the download-commands plugin and very rarely
    changes. It doesn't give much benefit to let older releases use
    an older version since the only effect is that they get an
    outdated plugin.
    Also makes the ctor of DownloadConfig public for tests as this was
    the only API breakage from master (f0c9b9e).
    Update plugins/download-commands to latest master.
    Changes since v3.5.5:
    * b83ce67 Consistently use `git rev-parse` to find hooks-dir
    * 90b37d2 Always use http to get commit-msg hook          <<<------- fix for this T330740 task
    * f0c9b9e Add test for CloneWithCommitMsgHook
    * a16ebc6 Merge "Annotate methods that return a definitely null value with @Nullable"
    * 107b225 Annotate methods that return a definitely null value with @Nullable
    * a649bdb Prefer ImmutableList to the convenience methods in List
    * 71331e1 Throw IllegalStateException instead of RuntimeException
    * 7f73617 URL encode username in http and ssh schemes
    * 1a30359 Adapt to enabling error level for the UnnecessaryParentheses bug pattern
    * 6f58c1e document the new branch & reset commands
    Bug: Issue 15944
    Release-Notes: Update plugins/download-commands to latest master
    Change-Id: Ie41500963d425ade312e5bb4c4a2f4ba7f4f144d
hashar claimed this task.

I have deployed Gerrit 3.5.6 which comes with download-commands plugin fix which is to always fetch the commit-msg hook over https.

I went to,general

Choose DownloadSSH

The resulting command is:

git clone "ssh://" \
  && ( \
    cd "BlockAndNuke" \
    && mkdir -p `git rev-parse --git-dir`/hooks/ \
    && curl -Lo `git rev-parse --git-dir`/hooks/commit-msg; \
        chmod +x `git rev-parse --git-dir`/hooks/commit-msg

It is thus now using curl and https instead of scp which works around the lack of sftp subsystem in Gerrit/JGit (but I guess that will eventually be implemented).

I believe it addresses this task :)