From unknown Sun Apr 12 21:17:16 2026
X-Loop: owner@bugs.x2go.org
Subject: Bug#472: Upgrade SSH key exchange and message authentication code from SHA1 to SHA2
Reply-To: =?UTF-8?Q?Aur=C3=A9lien?= Grosdidier <aurelien.grosdidier@gmail.com>, 472@bugs.x2go.org
Resent-From: =?UTF-8?Q?Aur=C3=A9lien?= Grosdidier <aurelien.grosdidier@gmail.com>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Thu, 03 Apr 2014 14:35:02 +0000
Resent-Message-ID: <handler.472.B.139653540219972@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: report 472
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: 
Received: via spool by submit@bugs.x2go.org id=B.139653540219972
          (code B); Thu, 03 Apr 2014 14:35:02 +0000
Received: (at submit) by bugs.x2go.org; 3 Apr 2014 14:30:02 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,FREEMAIL_FROM,
	T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172])
	by ymir (Postfix) with ESMTPS id 30E455DB20
	for <submit@bugs.x2go.org>; Thu,  3 Apr 2014 16:30:01 +0200 (CEST)
Received: by mail-wi0-f172.google.com with SMTP id hi2so7869730wib.11
        for <submit@bugs.x2go.org>; Thu, 03 Apr 2014 07:30:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:subject
         :content-type;
        bh=HXoQRUPGNr9l1QkPH7wuHBrSnbhn1ZVQB/RMHet0RRI=;
        b=wWKiYJ+XWwbNbSWiLAlL+1vWbh3AIORTybKd+JbUBS1Q8XDUheAK4ipyysJr3d6eTz
         +zsAUe6xukSUuCYAxU2GT+Fz4HfQJ9AtdrQy8vzKhVewuc7c+WFRmU/6D7LaAalqQHft
         aQ0kncDnLfkeL6qF+H+LiuNU9kO1vPsEnYFBiNhWfcESPrOlzsPktx6FryWcEV2JMl8M
         rzUVve9epr1qPGxWzljw6tOhkS3phPknZ0lenQd8LfhnwCjJbo+AUe9xXWtS7nV4AuxS
         QuQMKGbqTv+0E7SKjnS9Eh3orH5VSLv57fgOA0gfIi7LCLjX4gdCQ5Y4JAgZGniJsWAN
         QmCg==
X-Received: by 10.180.39.173 with SMTP id q13mr11731773wik.26.1396535400581;
        Thu, 03 Apr 2014 07:30:00 -0700 (PDT)
Received: from [192.168.0.10] (latitude77.org. [78.212.28.115])
        by mx.google.com with ESMTPSA id t1sm1435905wia.1.2014.04.03.07.29.58
        for <submit@bugs.x2go.org>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Thu, 03 Apr 2014 07:29:58 -0700 (PDT)
Message-ID: <533D7062.2090803@gmail.com>
Date: Thu, 03 Apr 2014 16:29:54 +0200
From: =?UTF-8?Q?Aur=C3=A9lien?= Grosdidier
 <aurelien.grosdidier@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: submit@bugs.x2go.org
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="hQWVFn6DLvLwSm5T57tun55jOUBNGtnJN"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--hQWVFn6DLvLwSm5T57tun55jOUBNGtnJN
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Package: x2goclient
Version: 4.0.1.3-1

When establishing the connection to a server, x2goclient rely on
diffie-hellman-group1-sha1 and hmac-sha1 as key exchange algorithm and
message authentication code, respectively. Unfortunately, SHA1 can't be
considered that safe:

- https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
- http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html

As a consequence, the connection of x2goclient to an hardened SSH server
(ie. not supporting SHA1) fails:

 kex error : did not find one of algos diffie-hellman-group1-sha1 in
list ...
 kex error : did not find one of algos hmac-sha1 in list ...

This problem could be solved:
- either by using SHA2 KexAlgorithms and MACs in x2goclient
- or by allowing users to choose between SHA1 or SHA2 hash functions


--hQWVFn6DLvLwSm5T57tun55jOUBNGtnJN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTPXBlAAoJEF25vWdzB3fIFQQQAIyGi+ibC0ilEuKjgrLtfORr
qNvvU8Z2Cumq0GAnuZe6+e11HD5NXz9fD1p8iYNevJjUdHKeMDh/sZm9ipHRJvdl
/cTWnUOw9DuQIZfDKbOavxxoLxEkGbRDO0B4thm8NBuJJ2pSEHD6TRDq98N4z0ZS
TIDwNQG4tgkQjbh6BEusE3dWzvctdR00C9FH6sHIHusa+E9jURstk3LZYuRQWZVS
+Gu4XjnwDnIrjS+LoSxVwhCu+fV73vIx7W2Gq7IHYyhTFoRv45gHWZgZ5eJrVRV9
MQXoSAhUxyAFNpRpIiHBjaCf1kmYIkXr0sZNicBSLwsFl2mm47Wx2uMG40IucPy0
YCoJ6ls3WmgFTGKvCjjDwCbh0bSkAH+LTljbqKpTy0dl7lDx7vuleWKRnH+ERdHd
RAvtp2JCIYWT/uiFEka/Q3dZnpe4kkFLgYhdWS6vZRLulEO3aWY5D4OuxquoDsHV
MlOzK2nmnACbL+YCV4o7YSMfN3Jlpn/Xfevyjyr+wntA8EK0SeUas8nCzGqdrysH
intfn4Da+BEaDMXvqMQCbTMGWDuflQ/4euAfByU/oZhFNNhbSe7rAZOK6aFEH1A9
7gyR4mjvA/HC4yopu9W2Y3a6GC6izOlOqsdf/Ij3btdPFRtPvYO2Ti4rF2hZ++m9
dAqqYEVSTJ6E11hqMlLf
=PVmN
-----END PGP SIGNATURE-----

--hQWVFn6DLvLwSm5T57tun55jOUBNGtnJN--