X2Go Bug report logs - #1202
kex error : no match for method mac algo client->server: server [hmac-sha2-256,hmac-sha2-512], client [hmac-sha1]

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: "J. M. van Bilsen" <jbilsen@xs4all.nl>

Date: Wed, 30 Aug 2017 19:20:02 UTC

Severity: normal

Found in version 4.0.5.1-1

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#1202: [X2Go-Dev] kex error : no match for method mac algo client->server: server [hmac-sha2-256, hmac-sha2-512], client [hmac-sha1]
Reply-To: Mihai Moldovan <ionic@ionic.de>, 1202@bugs.x2go.org
Resent-From: Mihai Moldovan <ionic@ionic.de>
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Fri, 01 Sep 2017 05:05:02 +0000
Resent-Message-ID: <handler.1202.B1202.15042420148088@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 1202
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: 
Received: via spool by 1202-submit@bugs.x2go.org id=B1202.15042420148088
          (code B ref 1202); Fri, 01 Sep 2017 05:05:02 +0000
Received: (at 1202) by bugs.x2go.org; 1 Sep 2017 05:00:14 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,T_SPF_HELO_TEMPERROR,URIBL_BLOCKED autolearn=ham
	autolearn_force=no version=3.4.1
Received: from localhost (localhost [127.0.0.1])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 6334E5DACF
	for <1202@bugs.x2go.org>; Fri,  1 Sep 2017 07:00:01 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de
Received: from ymir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id v53Z5wSBnOtp for <1202@bugs.x2go.org>;
	Fri,  1 Sep 2017 06:59:39 +0200 (CEST)
X-Greylist: delayed 594 seconds by postgrey-1.35 at ymir.das-netzwerkteam.de; Fri, 01 Sep 2017 06:59:39 CEST
Received: from Root24.de (powered.by.root24.eu [5.135.3.88])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 83DB05DA8C
	for <1202@bugs.x2go.org>; Fri,  1 Sep 2017 06:59:39 +0200 (CEST)
Received: from [10.20.16.17] (178.162.222.163.adsl.inet-telecom.org [178.162.222.163])
	by mail.ionic.de (Postfix) with ESMTPSA id 0A0164F0067A;
	Fri,  1 Sep 2017 06:49:42 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ionic.de; s=default;
	t=1504241382; bh=rilAngqHH/5YEGH8KDzZJd7eGQ8sboiUxFfBSHwaSTI=;
	h=Subject:To:References:From:Date:In-Reply-To:From;
	b=B232TxVaPeDF+eA2s+Uh92DNkiPXJN+0hjivEwEKQfcWswKsFYVSxO40YNenI7cl6
	 7bHTjIesVWd27CfmnTYhBPfBVrMcElRH8GIB93YSdIJNnmXJJLMB7NQjWJIMqA4RUg
	 Otl80VPTrtLqDuMq4k8QHP5Z7uvO1o3OHleJlC8s=
To: "J. M. van Bilsen" <jbilsen@xs4all.nl>, 1202@bugs.x2go.org
References: <1504120159.19175.0.camel@xs4all.nl>
From: Mihai Moldovan <ionic@ionic.de>
Message-ID: <0af688ae-c199-d3a0-b680-558c5e01cc92@ionic.de>
Date: Fri, 1 Sep 2017 06:49:41 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <1504120159.19175.0.camel@xs4all.nl>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="uU8V6UbjqlDXnkNcEcSm9j6Mu4KFMR4Wr"

[Message part 1 (text/plain, inline)]
On 08/30/2017 09:09 PM, J. M. van Bilsen wrote:
> 
> Package: x2goclient 
> Version: 4.0.5.1-1

First off: I will likely close this issue report, since there's nothing we could
do about this. More about that later.


>  $ cat /etc/lsb-release 
> DISTRIB_ID=LinuxMint
> DISTRIB_RELEASE=18.1
> DISTRIB_CODENAME=serena
> DISTRIB_DESCRIPTION="Linux Mint 18.1 Serena"

So you're using Linux Mint 18.1. Am I correct to assume this is the Ubuntu-based
version?


>  $ dpkg --list | grep x2goclient
> ii  x2goclient                                                  4.0.5.1
> -1                                    amd64        X2Go Client
> application (Qt4)

Where is this package coming from? It doesn't seem to be from any of our
repositories, so the report is bogus at best and should have been reported upstream.

I'm not saying this to be mean, but merely because we have no control over this
repository and what it contains.

What would be more relevant in this situation is information about the libssh
(note: *not* libssh2) package.


> WARNING my assumption is this problem will be on all x2goclient
> programs.

It is and it is not. It highly depends on the libssh version x2goclient was
built against and uses at run time (though strictly speaking, as long as the
soversion is compatible, these two things can differ.)

Generally, and as I've explained countless times on mailing lists already, the
algorithms "supported" by X2Go Client boils down to what the underlying libssh
software supports. Sadly, this differs highly between versions. Older versions
(0.5.x and below) typically do not support a wide range of algorithms, may that
be MAC or even key algorithms.

Support for these SHA2-based type MAC algorithms, according to
https://www.libssh.org/features/, is available, but typically only in versions
0.7.x and higher. I'd have to look up the actual version number that brought the
changes, but chances are that your libssh version is just too old.


> After change of the security settings on sshd we cannot connect using
> x2go.
> Using portforwarding ssh -L 9999:localhost:22 someremotehost then
> letting x2goclient connect to localhost port 9999 works.
>
> Settings in sshd_config
> 
> MACs hmac-sha2-256,hmac-sha2-512

Yeah, you disabled SHA1-based MACs. No wonder you see this problem...


> kex error : no match for method mac algo client->server: server [hmac-
> sha2-256,hmac-sha2-512], client [hmac-sha1]
> 
> My assumption is client is configured using hmac-sha1 as default

Actual explanation is above. If SHA2-based MACs were supported by your libssh
version, it would have worked.


> Problem does not surface using ssh or ssh port forwarding.
> 
> Problem can be easy reproduced using raspberry with mathe and MACs
> hmac-sha2-256,hmac-sha2-512 in sshd_config
> 
> Problem surface also with different ssh proxy servers having the MACs
> setting. As stated before normal connection on ssh or using port
> forwarding no problem.

And that's for another reason - OpenSSH is a completely different implementation
of the SSH protocol. Since X2Go Client is not using OpenSSH, but libssh, that
test sadly isn't too meaningful.



Mihai


[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Sat Oct 25 03:57:26 2025; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.