From ionic@ionic.de Fri Sep 1 07:00:01 2017 Received: (at 1202) by bugs.x2go.org; 1 Sep 2017 05:00:14 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,T_SPF_HELO_TEMPERROR,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.1 Received: from localhost (localhost [127.0.0.1]) by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 6334E5DACF for <1202@bugs.x2go.org>; Fri, 1 Sep 2017 07:00:01 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de Received: from ymir.das-netzwerkteam.de ([127.0.0.1]) by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v53Z5wSBnOtp for <1202@bugs.x2go.org>; Fri, 1 Sep 2017 06:59:39 +0200 (CEST) X-Greylist: delayed 594 seconds by postgrey-1.35 at ymir.das-netzwerkteam.de; Fri, 01 Sep 2017 06:59:39 CEST Received: from Root24.de (powered.by.root24.eu [5.135.3.88]) by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 83DB05DA8C for <1202@bugs.x2go.org>; Fri, 1 Sep 2017 06:59:39 +0200 (CEST) Received: from [10.20.16.17] (178.162.222.163.adsl.inet-telecom.org [178.162.222.163]) by mail.ionic.de (Postfix) with ESMTPSA id 0A0164F0067A; Fri, 1 Sep 2017 06:49:42 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ionic.de; s=default; t=1504241382; bh=rilAngqHH/5YEGH8KDzZJd7eGQ8sboiUxFfBSHwaSTI=; h=Subject:To:References:From:Date:In-Reply-To:From; b=B232TxVaPeDF+eA2s+Uh92DNkiPXJN+0hjivEwEKQfcWswKsFYVSxO40YNenI7cl6 7bHTjIesVWd27CfmnTYhBPfBVrMcElRH8GIB93YSdIJNnmXJJLMB7NQjWJIMqA4RUg Otl80VPTrtLqDuMq4k8QHP5Z7uvO1o3OHleJlC8s= Subject: Re: [X2Go-Dev] kex error : no match for method mac algo client->server: server [hmac-sha2-256, hmac-sha2-512], client [hmac-sha1] To: "J. M. van Bilsen" , 1202@bugs.x2go.org References: <1504120159.19175.0.camel@xs4all.nl> From: Mihai Moldovan Message-ID: <0af688ae-c199-d3a0-b680-558c5e01cc92@ionic.de> Date: Fri, 1 Sep 2017 06:49:41 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: <1504120159.19175.0.camel@xs4all.nl> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="uU8V6UbjqlDXnkNcEcSm9j6Mu4KFMR4Wr" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --uU8V6UbjqlDXnkNcEcSm9j6Mu4KFMR4Wr Content-Type: multipart/mixed; boundary="EwrvjGgSQKhm9gGt1vsUeSQt2mFrdebB5"; protected-headers="v1" From: Mihai Moldovan To: "J. M. van Bilsen" , 1202@bugs.x2go.org Message-ID: <0af688ae-c199-d3a0-b680-558c5e01cc92@ionic.de> Subject: Re: [X2Go-Dev] kex error : no match for method mac algo client->server: server [hmac-sha2-256, hmac-sha2-512], client [hmac-sha1] References: <1504120159.19175.0.camel@xs4all.nl> In-Reply-To: <1504120159.19175.0.camel@xs4all.nl> --EwrvjGgSQKhm9gGt1vsUeSQt2mFrdebB5 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 08/30/2017 09:09 PM, J. M. van Bilsen wrote: >=20 > Package: x2goclient=20 > Version: 4.0.5.1-1 First off: I will likely close this issue report, since there's nothing w= e could do about this. More about that later. > $ cat /etc/lsb-release=20 > DISTRIB_ID=3DLinuxMint > DISTRIB_RELEASE=3D18.1 > DISTRIB_CODENAME=3Dserena > DISTRIB_DESCRIPTION=3D"Linux Mint 18.1 Serena" So you're using Linux Mint 18.1. Am I correct to assume this is the Ubunt= u-based version? > $ dpkg --list | grep x2goclient > ii x2goclient 4.0.5.1= > -1 amd64 X2Go Client > application (Qt4) Where is this package coming from? It doesn't seem to be from any of our repositories, so the report is bogus at best and should have been reporte= d upstream. I'm not saying this to be mean, but merely because we have no control ove= r this repository and what it contains. What would be more relevant in this situation is information about the li= bssh (note: *not* libssh2) package. > WARNING my assumption is this problem will be on all x2goclient > programs. It is and it is not. It highly depends on the libssh version x2goclient w= as built against and uses at run time (though strictly speaking, as long as = the soversion is compatible, these two things can differ.) Generally, and as I've explained countless times on mailing lists already= , the algorithms "supported" by X2Go Client boils down to what the underlying l= ibssh software supports. Sadly, this differs highly between versions. Older ver= sions (0.5.x and below) typically do not support a wide range of algorithms, ma= y that be MAC or even key algorithms. Support for these SHA2-based type MAC algorithms, according to https://www.libssh.org/features/, is available, but typically only in ver= sions 0.7.x and higher. I'd have to look up the actual version number that brou= ght the changes, but chances are that your libssh version is just too old. > After change of the security settings on sshd we cannot connect using > x2go. > Using portforwarding ssh -L 9999:localhost:22 someremotehost then > letting x2goclient connect to localhost port 9999 works. > > Settings in sshd_config >=20 > MACs hmac-sha2-256,hmac-sha2-512 Yeah, you disabled SHA1-based MACs. No wonder you see this problem... > kex error : no match for method mac algo client->server: server [hmac- > sha2-256,hmac-sha2-512], client [hmac-sha1] >=20 > My assumption is client is configured using hmac-sha1 as default Actual explanation is above. If SHA2-based MACs were supported by your li= bssh version, it would have worked. > Problem does not surface using ssh or ssh port forwarding. >=20 > Problem can be easy reproduced using raspberry with mathe and MACs > hmac-sha2-256,hmac-sha2-512 in sshd_config >=20 > Problem surface also with different ssh proxy servers having the MACs > setting. As stated before normal connection on ssh or using port > forwarding no problem. And that's for another reason - OpenSSH is a completely different impleme= ntation of the SSH protocol. Since X2Go Client is not using OpenSSH, but libssh, = that test sadly isn't too meaningful. Mihai --EwrvjGgSQKhm9gGt1vsUeSQt2mFrdebB5-- --uU8V6UbjqlDXnkNcEcSm9j6Mu4KFMR4Wr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCgAdFiEEbhHQj3UzgcdE8cg8H9Yu2W4lOocFAlmo5uUACgkQH9Yu2W4l OofT4A/9HyLO01bXoaaCLZRqD7O7TtycMTIK/Io41FFbfRFuLo7LEDcmuDCiwBCB pwnWaVwkpgsAUwpdxWlxY7OZIOp0/pxJeIHtO3PJpDU22m+jXKZastkmPAhK01V1 V9PdFJiKyze3WRba8bMh+E/afZek7s1Q3NO8AHBD/k1D9kUG+yRgCfhbNIj1OLpJ eo9WYddyNkXiKGnMkAAj8IdUwzgXXgX3WhfgAjLnlNmr7DkpHYZ/rnkH17x+A4Id oOp04Nx523fnE7/C4BGOletePJ39BdvlvkskG2zpvYLpgtNOkWnYqyKXBS4e8sG9 orZgdRDMEpZin4rGvq9HdQ5RoICLQts+YtSdQR4ki35W6TgWWSfT/wou8Dqlnbz6 cr4y0NdsATd31Bs+/MQkQk6dztJZaNkOsRlw8Jye4Yu/RVKTkXaoBGo0HbSFj72k 4WzRe509/OV9YhX0W7FwUt5gWeZ+osKASI6+J5G+Hho9K9wQ003HpW5JWH+7IYHg 83542MbOmBC9g7aJeKfpBdRfdYw9pxv6hioimPyem/i9naGAEvn6e1+oaxkqt2KX v6Wwdc/ngOIWc6ay9wADGR4P6ti5wxc56DCoemTRbjIE2foixqNJBYG+sVTRtayL tpTio2imRmOZAqY6QA18kuBUYWZEYTMd16Qp3mF7432gws2YBgw= =lX6P -----END PGP SIGNATURE----- --uU8V6UbjqlDXnkNcEcSm9j6Mu4KFMR4Wr--