X2Go Bug report logs - #472
Upgrade SSH key exchange and message authentication code from SHA1 to SHA2

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Aurélien Grosdidier <aurelien.grosdidier@gmail.com>

Date: Thu, 3 Apr 2014 14:35:02 UTC

Severity: important

Found in version 4.0.1.3-1

Full log

Message #27 received at 472@bugs.x2go.org (full text, mbox, reply):

Received: (at 472) by bugs.x2go.org; 13 Oct 2014 19:33:17 +0000
From mikedep333@gmail.com  Mon Oct 13 21:33:16 2014
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,FREEMAIL_FROM,
	T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 590435E09F
	for <472@bugs.x2go.org>; Mon, 13 Oct 2014 21:33:16 +0200 (CEST)
Received: by mail-wi0-f181.google.com with SMTP id hi2so8352175wib.2
        for <472@bugs.x2go.org>; Mon, 13 Oct 2014 12:33:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=Ul1D50Jj0v+aO+Ebp8N9J99jaR4gVNnCmZT9hUuABDo=;
        b=SSefo/IYhNoTHAyXTC7WB2BpihjUWXNQWYdlgIS8E1OSZCOKCwIg4JwMBjqNNiGBH/
         3s//WSGPCBXPZiapSpQJtHt/+6Sp7FADU7RW04R9W4FlaX/VORhr6ckBbtr+yKacVGAQ
         8CebmFQkF2Qa+ebDrO5oxMdLM8z9xH6chrN932cwyVwGMMQ6X030G3rhc2rMM3jK9/9I
         N0hR1SoxhVi4RosR/qpVBjCo3WEg2mbSKy0DM9jfwMNOulFXI83VDeDwIhiFPZ15y2uA
         zxTen7Hnt/WLPx+M3NGjdtgMnHyp+qoKmadgLk7ei0upsU5q+WZkF/XDWwTADQKO1YA1
         fanA==
MIME-Version: 1.0
X-Received: by 10.180.73.103 with SMTP id k7mr859334wiv.83.1413228795923; Mon,
 13 Oct 2014 12:33:15 -0700 (PDT)
Received: by 10.180.211.11 with HTTP; Mon, 13 Oct 2014 12:33:15 -0700 (PDT)
In-Reply-To: <543BD4D8.5060309@phoca-gmbh.de>
References: <20141011204801.Horde.PMP6WPnVUe8IpbJWVualAQ4@mail.das-netzwerkteam.de>
	<543BD4D8.5060309@phoca-gmbh.de>
Date: Mon, 13 Oct 2014 15:33:15 -0400
Message-ID: <CAMKht8jV5zW9EtiwHBy2W3WzayBdDQ+AEiR4vTWmyAoEmoVb9g@mail.gmail.com>
Subject: Re: [X2Go-Dev] Bug#472: Bug#472: Debian now has diffie-hellman-group1-sha1
 disabled
From: Michael DePaulo <mikedep333@gmail.com>
To: Oleksandr Shneyder <o.shneyder@phoca-gmbh.de>, 472@bugs.x2go.org
Cc: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, Alex DEKKER <bugs@ale.cx>, 
	o.schneyder@phoca-gmbh.de
Content-Type: text/plain; charset=UTF-8

On Mon, Oct 13, 2014 at 9:34 AM, Oleksandr Shneyder
<o.shneyder@phoca-gmbh.de> wrote:
> And why is it a problem for X2Go? Is libssh not working any more? Then
> it should be fixed in libssh, not in x2go?
>
> Am 11.10.2014 22:48, schrieb Mike Gabriel:
>> Control: severity -1 important
>>
>> HI Alex (DEKKER), hi Alex (Schneyder),
>>
>> On  Sa 11 Okt 2014 13:07:00 CEST, Alex DEKKER wrote:
>>
>>> As of Version: 1:6.7p1-1 of openssh-server, it appears that Debian
>>> [and presumably upstream]'s sshd now has diffie-hellman-group1-sha1
>>> disabled. This means that connections from x2goclient will fail.
>>>
>>> I was able to work around this by adding:
>>>
>>> KexAlgorithms
>>> curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
>>>
>>>
>>> to /etc/ssh/sshd_config, but obviously at some point support for
>>> diffie-hellman-group1-sha1 is going to go away completely, rather than
>>> just being disabled by default.
>>
>> Thanks for bringing this up. Did not realize so far.
>>
>> @Alex Schneyder: do you think you can find a fix for this. This actually
>> is a release blocker of 4.0.3.0... And it endangers the status of X2Go
>> Client in Debian, as well.
>>
>> Mike
[...]

Looking through the libssh git logs, it appears that libssh 0.6 was
the first version to add support for a non-sha1 key exchange method,
ecdh_sha2_nistp256 [1].

0.6 also added support for curve25519-sha256@libssh.org [1].

In a few hours or so, I will test if using a libssh 0.6.x linked
version of x2goclient fixes this bug.

Jessie does include libssh 0.6.3 (Thanks to our DD, Mike#1)[2].

-Mike#2

[1] http://git.libssh.org/projects/libssh.git/log/?id=libssh-0.6.0&qt=grep&q=sha2
[2] https://packages.debian.org/jessie/libssh-4

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 15:39:06 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.