From unknown Tue Apr 28 11:07:25 2026 X-Loop: owner@bugs.x2go.org Subject: Bug#1373: [X2Go-Dev] Bug#1373: kex error : no match for method mac algo Reply-To: Danie de Jager , 1373@bugs.x2go.org Resent-From: Danie de Jager Resent-To: x2go-dev@lists.x2go.org Resent-CC: owner@bugs.x2go.org X-Loop: owner@bugs.x2go.org Resent-Date: Mon, 18 Feb 2019 11:30:03 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 1373 X-X2Go-PR-Package: client X-X2Go-PR-Keywords: Received: via spool by 1373-submit@bugs.x2go.org id=B1373.15504891235712 (code B ref 1373); Mon, 18 Feb 2019 11:30:03 +0000 Received: (at 1373) by bugs.x2go.org; 18 Feb 2019 11:25:23 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from localhost (localhost [127.0.0.1]) by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 244A55DAF4 for <1373@bugs.x2go.org>; Mon, 18 Feb 2019 12:25:18 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de Received: from ymir.das-netzwerkteam.de ([127.0.0.1]) by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zsHPf-A7LQYw for <1373@bugs.x2go.org>; Mon, 18 Feb 2019 12:25:07 +0100 (CET) Received: from mail-yw1-xc44.google.com (mail-yw1-xc44.google.com [IPv6:2607:f8b0:4864:20::c44]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id C3D6B5DAF1 for <1373@bugs.x2go.org>; Mon, 18 Feb 2019 12:25:05 +0100 (CET) Received: by mail-yw1-xc44.google.com with SMTP id s204so6308063ywg.2 for <1373@bugs.x2go.org>; Mon, 18 Feb 2019 03:25:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=striata.com; s=google2; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2/OA66gJuVreTh0E/BFLERhTRZbhtizYhuwO8lNOMtE=; b=I2Epp+3lh6Auc+H+gyRQBWW34BjXSAKyW7y0G3geHVEzEIiji7L8RhaD0DtwIfwHf0 EfTe8UgkwWUOWprbLyvmuYVpquKR2YXNjjVUaNYOUYq2q1RHX6949uPlYTsyZVngndZV o7hRr2tXE9DQ3xq61cRpY/Khe0MzAkpeSyw7MAejDQKnuk4O7+XcvJtlzB0LYQIKXcjy GCq2M+rIyhtvbyVlks7BATk03lJaHuQgLrv8XdPqRskV4TBZSRVm4GdkkfubpUuQ/6JS +R8MXNCVoOoMH1EDPsWgyY0rD2ZC6/q3zyEEe6v19eq4OVyjyUPj30T9/BHu15TMC4+3 SvGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2/OA66gJuVreTh0E/BFLERhTRZbhtizYhuwO8lNOMtE=; b=QKsHDM8yOPlaYft5Th0x0oodoUn5jhifb3xXGi7w6okGvCs6sF2rg/Oxfa/Q07ADYH i217Y8koKjXLmd7UlaMBd9j7hmkeCTT4nuy/UKajWdO93h/47QnDT4RYCNEvTiCtHLUF 1KExKub9ITtZFkjB9nx0Nm2XGqPESTT/v9KEryCBmeEhvhgNSL1gQV4Fnx+cuTyNBG2j qSwKZQPuDZ9IPzCWGept6MCy9YJ/jXh70jUToH5BqW5P3VNpO7BGekBbM3K+BAWi3G++ mXydktog2vLQlzpi7XIgTy7jEVvOH0UN/e8NtAnr1od9iZaaNyB8OnItjC1iU8eOoLF9 3POQ== X-Gm-Message-State: AHQUAubuVHuiCeW76h/JPCW4NLkSwP0tKM9sFECvJHS0oe8QiOZEGK9h qdPiI8QBQ5vMt/BaIGFMl9BdofBnp/MA3ztcbise1Q== X-Google-Smtp-Source: AHgI3IaCf72YkriPxmsUoaqBULWH5XT3rIf83ygjV/Map06USeMRf6ZSB2niUEI+Cb1RuZWpe04sPjluTUrZJcM3l5k= X-Received: by 2002:a0d:dac4:: with SMTP id c187mr18540692ywe.271.1550489104237; Mon, 18 Feb 2019 03:25:04 -0800 (PST) MIME-Version: 1.0 References: <770B1326-8C3F-418C-9EBF-E2861A673325@simbiosi.org> In-Reply-To: <770B1326-8C3F-418C-9EBF-E2861A673325@simbiosi.org> From: Danie de Jager Date: Mon, 18 Feb 2019 13:24:37 +0200 Message-ID: To: Antenore Cc: 1373@bugs.x2go.org, submit@bugs.x2go.org Content-Type: multipart/alternative; boundary="000000000000496228058229604c" --000000000000496228058229604c Content-Type: text/plain; charset="UTF-8" Thanks for your input. Maybe the client ships in a way where it is compiled to only support MACs of hmac-sha1-etm@openssh.com,hmac-sha1 When I add these to my server I can SSH to it and see remote screen with X2GO client. If I change the server's SSHD config and remove the 2 sha1 MACs I can still shh to the server but X2Go client stops working. To get the libssh updated for my OS won't necissarily allow the client to use it if the client was statically compiled using an older version. On Mon, 18 Feb 2019 at 12:22, Antenore wrote: > Package: client > > Hi Daniel, > > I'm just a reader, but X2GO uses libssh, that support the Kex you are > using, so first of all, you have to install an updated version of libssh > and eventually check if it has been compiled with the support of these > algorithms. > > Normally, I think, on the X2GO side there is nothing more to do. > > Have a look here: > > https://www.libssh.org/features/ > > On 18 February 2019 10:07:37 CET, Danie de Jager < > danie.dejager@striata.com> wrote: > >Package: client > > > >The client does not support chacha20 as I get this error when I try to > >connect to the X2Go server. I did harden my SSH configuration as guided > >by > >Mozzila > >https://infosec.mozilla.org/guidelines/openssh > > > >When I use defaults it works fine. It seems that the library used by > >X2Go > >is missing some newer methods. > > > >Config: > >server ssh config: > >KexAlgorithms curve25519-sha256@libssh.org > > >,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 > >Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com, > >aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr > >MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com, > >umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com > > > >Client sshd config: > >Client using default sshd config > > > >or > > > >HashKnownHosts yes > >HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com, > >ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa, > >ecdsa-sha2-nistp521-cert-v01@openssh.com, > >ecdsa-sha2-nistp384-cert-v01@openssh.com, > >ecdsa-sha2-nistp256-cert-v01@openssh.com > >,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 > >KexAlgorithms curve25519-sha256@libssh.org > > >,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 > >MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com, > >umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com > >Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com, > >aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr > > > >Error: > >"kex error : no match for method mac algo client->server: server [ > >hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com, > >umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com > ], > >client [hmac-sha1]" > > > >or sometimes > > > >"crypt_set_algorithms2: no crypto algorithm function found for > >chacha20-poly1305@openssh.com" > > > >Let me know if I can provide more information. > > > >Regards, > >*Danie de Jager* > --000000000000496228058229604c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
T= hanks for your input. Maybe the client ships in a way where it is compiled = to only support MACs of=C2=A0
hmac-sha1-etm@openssh.com,hmac-sha1

When I add these to my s= erver I can SSH to it and see remote screen with X2GO client. If I change t= he server's SSHD config and remove the 2 sha1 MACs I can still shh to t= he server but X2Go client stops working. To get the libssh updated for my O= S won't necissarily allow the client to use it if the client was static= ally=C2=A0compiled using an older version.

On Mon, 18 Feb 2019 = at 12:22, Antenore <antenore@si= mbiosi.org> wrote:
Package: client

Hi Daniel,

I'm just a reader, but X2GO uses libssh, that support the Kex you are using, so first of all, you have to install an updated version of libssh and eventually check if it has been compiled with the support of these
algorithms.

Normally, I think, on the X2GO side there is nothing more to do.

Have a look here:

https://www.libssh.org/features/

On 18 February 2019 10:07:37 CET, Danie de Jager <danie.dejager@striata.com> = wrote:
>Package: client
>
>The client does not support chacha20 as I get this error when I try to<= br> >connect to the X2Go server. I did harden my SSH configuration as guided=
>by
>Mozzila
>https://infosec.mozilla.org/guidelines/openssh=
>
>When I use defaults it works fine. It seems that the library used by >X2Go
>is missing some newer methods.
>
>Config:
>server ssh config:
>KexAlgorithms curve25519-sha256@libssh.org
>,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellma= n-group-exchange-sha256
>Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,
>aes128-gcm@= openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
>MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
>umac-128-= etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
>
>Client sshd config:
>Client using default sshd config
>
>or
>
>HashKnownHosts yes
>HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,
>ssh-r= sa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,
>ecdsa-sha2-nistp521-cert-v01@openssh.com,
>ecdsa-sha2-nistp384-cert-v01@openssh.com,
>ecdsa-sha2-nistp256-cert-v01@openssh.com
>,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
>KexAlgorithms curve25519-sha256@libssh.org
>,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellma= n-group-exchange-sha256
>MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
>umac-128-= etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
>Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,
>aes128-gcm@= openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
>
>Error:
>"kex error : no match for method mac algo client->server: serve= r [
>hmac= -sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
>umac-128-= etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com],
>client [hmac-sha1]"
>
>or sometimes
>
>"crypt_set_algorithms2: no crypto algorithm function found for
>chac= ha20-poly1305@openssh.com"
>
>Let me know if I can provide more information.
>
>Regards,
>*Danie de Jager*
--000000000000496228058229604c--