X2Go Bug report logs - #1202
kex error : no match for method mac algo client->server: server [hmac-sha2-256,hmac-sha2-512], client [hmac-sha1]

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: "J. M. van Bilsen" <jbilsen@xs4all.nl>

To: submit@bugs.x2go.org

Cc: jbilsen@xs4all.nl

Subject: kex error : no match for method mac algo client->server: server [hmac-sha2-256,hmac-sha2-512], client [hmac-sha1]

Date: Wed, 30 Aug 2017 21:09:19 +0200

Package: x2goclient 
Version: 4.0.5.1-1

Complete system info :

 $ which x2goclient
/usr/bin/x2goclient
    
 $ cat /etc/lsb-release 
DISTRIB_ID=LinuxMint
DISTRIB_RELEASE=18.1
DISTRIB_CODENAME=serena
DISTRIB_DESCRIPTION="Linux Mint 18.1 Serena"

 $ dpkg --list | grep x2goclient
ii  x2goclient                                                  4.0.5.1
-1                                    amd64        X2Go Client
application (Qt4)

WARNING my assumption is this problem will be on all x2goclient
programs. 

After change of the security settings on sshd we cannot connect using
x2go.
Using portforwarding ssh -L 9999:localhost:22 someremotehost then
letting x2goclient connect to localhost port 9999 works.

Settings in sshd_config

MACs hmac-sha2-256,hmac-sha2-512

When connecting we get error message :

kex error : no match for method mac algo client->server: server [hmac-
sha2-256,hmac-sha2-512], client [hmac-sha1]

My assumption is client is configured using hmac-sha1 as default

Problem does not surface using ssh or ssh port forwarding.

Problem can be easy reproduced using raspberry with mathe and MACs
hmac-sha2-256,hmac-sha2-512 in sshd_config

Problem surface also with different ssh proxy servers having the MACs
setting. As stated before normal connection on ssh or using port
forwarding no problem.

Message #10 received at 1202@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>

To: "J. M. van Bilsen" <jbilsen@xs4all.nl>, 1202@bugs.x2go.org

Subject: Re: [X2Go-Dev] kex error : no match for method mac algo client->server: server [hmac-sha2-256, hmac-sha2-512], client [hmac-sha1]

Date: Fri, 1 Sep 2017 06:49:41 +0200

[Message part 1 (text/plain, inline)]

On 08/30/2017 09:09 PM, J. M. van Bilsen wrote:
> 
> Package: x2goclient 
> Version: 4.0.5.1-1

First off: I will likely close this issue report, since there's nothing we could
do about this. More about that later.


>  $ cat /etc/lsb-release 
> DISTRIB_ID=LinuxMint
> DISTRIB_RELEASE=18.1
> DISTRIB_CODENAME=serena
> DISTRIB_DESCRIPTION="Linux Mint 18.1 Serena"

So you're using Linux Mint 18.1. Am I correct to assume this is the Ubuntu-based
version?


>  $ dpkg --list | grep x2goclient
> ii  x2goclient                                                  4.0.5.1
> -1                                    amd64        X2Go Client
> application (Qt4)

Where is this package coming from? It doesn't seem to be from any of our
repositories, so the report is bogus at best and should have been reported upstream.

I'm not saying this to be mean, but merely because we have no control over this
repository and what it contains.

What would be more relevant in this situation is information about the libssh
(note: *not* libssh2) package.


> WARNING my assumption is this problem will be on all x2goclient
> programs.

It is and it is not. It highly depends on the libssh version x2goclient was
built against and uses at run time (though strictly speaking, as long as the
soversion is compatible, these two things can differ.)

Generally, and as I've explained countless times on mailing lists already, the
algorithms "supported" by X2Go Client boils down to what the underlying libssh
software supports. Sadly, this differs highly between versions. Older versions
(0.5.x and below) typically do not support a wide range of algorithms, may that
be MAC or even key algorithms.

Support for these SHA2-based type MAC algorithms, according to
https://www.libssh.org/features/, is available, but typically only in versions
0.7.x and higher. I'd have to look up the actual version number that brought the
changes, but chances are that your libssh version is just too old.


> After change of the security settings on sshd we cannot connect using
> x2go.
> Using portforwarding ssh -L 9999:localhost:22 someremotehost then
> letting x2goclient connect to localhost port 9999 works.
>
> Settings in sshd_config
> 
> MACs hmac-sha2-256,hmac-sha2-512

Yeah, you disabled SHA1-based MACs. No wonder you see this problem...


> kex error : no match for method mac algo client->server: server [hmac-
> sha2-256,hmac-sha2-512], client [hmac-sha1]
> 
> My assumption is client is configured using hmac-sha1 as default

Actual explanation is above. If SHA2-based MACs were supported by your libssh
version, it would have worked.


> Problem does not surface using ssh or ssh port forwarding.
> 
> Problem can be easy reproduced using raspberry with mathe and MACs
> hmac-sha2-256,hmac-sha2-512 in sshd_config
> 
> Problem surface also with different ssh proxy servers having the MACs
> setting. As stated before normal connection on ssh or using port
> forwarding no problem.

And that's for another reason - OpenSSH is a completely different implementation
of the SSH protocol. Since X2Go Client is not using OpenSSH, but libssh, that
test sadly isn't too meaningful.



Mihai

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 1202@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>

To: "J. M. van Bilsen" <jbilsen@xs4all.nl>

Cc: 1202@bugs.x2go.org

Subject: Re: [X2Go-Dev] kex error : no match for method mac algo client->server: server [hmac-sha2-256, hmac-sha2-512], client [hmac-sha1]

Date: Fri, 1 Sep 2017 08:56:00 +0200

[Message part 1 (text/plain, inline)]

Adding back the X2Go bugtracker, since this is valuable information for anyone
that might hit this issue.


On 09/01/2017 08:15 AM, J. M. van Bilsen wrote:
> that would be sufficient to tackle the problem. You are right I have to
> check if the package came from the mint or youre dist. Don worry I will
> be testing both but not this week. 
> 
> The reason I am looking for x2go is that we do not want to use other
> methods of remote connect. 

I'm happy to hear this. :)

I still don't feel good just closing bug reports without any work carried out.

More information: Linux Mint 18.1 seems to be based upon Ubuntu 16.04, and this
edition has x2goclient 4.0.5.1-1 available (exactly), so this seems to be a hit.
You're using very likely this version. So, now that we have this, I'm pretty
sure you're also on libssh 0.6.3-4.3, which is naturally based upon libssh 0.6.3.

The corresponding commit that introduced the SHA2-based MAC algorithms was
262c82ac0661bb0be46477006ed366e401c1620f (in libssh's source code repository.)

This commit first made it into libssh 0.7.0. Older libssh versions do not
include it and thus do not support SHA2-based MAC algorithms.

Given that Ubuntu 16.04 only ships libssh 0.6.3, that explains your trouble.


You basically have two options: either report this to Linux Mint and hope they
will update the update the libssh package for you and rebuild every package that
depends on it (including x2goclient), or build your own versions.

The first one is not likely to be successful, though I do not know Mint's update
philosophy. Debian and Ubuntu typically don't do such huge upgrades within a
released version line. If necessary, changes are backported to the older version
- but for libssh that might turn out to be quite complicated and not worth the
effort. Mint might be different, so it might be worth a shot to try.

The second one requires quite a lot of effort on your side, including staying up
to date and deploying self-modified packages.



Mihai

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.