X2Go Bug report logs - #472
Upgrade SSH key exchange and message authentication code from SHA1 to SHA2

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Aurélien Grosdidier <aurelien.grosdidier@gmail.com>

Date: Thu, 3 Apr 2014 14:35:02 UTC

Severity: important

Found in version 4.0.1.3-1

Full log


Message #47 received at 472@bugs.x2go.org (full text, mbox, reply):

Received: (at 472) by bugs.x2go.org; 17 Oct 2014 08:37:44 +0000
From mike.gabriel@das-netzwerkteam.de  Fri Oct 17 10:37:42 2014
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=ham version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 9EF545DBC9
	for <472@bugs.x2go.org>; Fri, 17 Oct 2014 10:37:42 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 06367C5E;
	Fri, 17 Oct 2014 10:37:42 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 9BF403BAD8;
	Fri, 17 Oct 2014 10:37:41 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id XZGmioPSWUFx; Fri, 17 Oct 2014 10:37:41 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 5A73E3B92E;
	Fri, 17 Oct 2014 10:37:41 +0200 (CEST)
Received: from m-031.informatik.uni-kiel.de (m-031.informatik.uni-kiel.de
 [134.245.254.31]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP;
 Fri, 17 Oct 2014 08:37:41 +0000
Date: Fri, 17 Oct 2014 08:37:41 +0000
Message-ID: <20141017083741.Horde.RkoCCGaWBHPsVWlZz-8Rcg1@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Michael DePaulo <mikedep333@gmail.com>
Cc: Oleksandr Shneyder <o.shneyder@phoca-gmbh.de>, 472@bugs.x2go.org, Alex
 DEKKER <bugs@ale.cx>, o.schneyder@phoca-gmbh.de
Subject: Re: [X2Go-Dev] Bug#472: Bug#472: Debian now has
 diffie-hellman-group1-sha1 disabled
References: <20141011204801.Horde.PMP6WPnVUe8IpbJWVualAQ4@mail.das-netzwerkteam.de>
 <543BD4D8.5060309@phoca-gmbh.de>
 <CAMKht8jV5zW9EtiwHBy2W3WzayBdDQ+AEiR4vTWmyAoEmoVb9g@mail.gmail.com>
In-Reply-To: <CAMKht8jV5zW9EtiwHBy2W3WzayBdDQ+AEiR4vTWmyAoEmoVb9g@mail.gmail.com>
User-Agent: Internet Messaging Program (IMP) H5 (6.2.2)
Accept-Language: en,de
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 134.245.254.31
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101
 Firefox/32.0 Iceweasel/32.0
Content-Type: multipart/signed; boundary="=_enbT37MS-26Wvil0yBJe4A8";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0
[Message part 1 (text/plain, inline)]
Hi Alex, hi Mike#2,

On  Mo 13 Okt 2014 21:33:15 CEST, Michael DePaulo wrote:

> On Mon, Oct 13, 2014 at 9:34 AM, Oleksandr Shneyder
> <o.shneyder@phoca-gmbh.de> wrote:
>> And why is it a problem for X2Go? Is libssh not working any more? Then
>> it should be fixed in libssh, not in x2go?
>>
>> Am 11.10.2014 22:48, schrieb Mike Gabriel:
>>> Control: severity -1 important
>>>
>>> HI Alex (DEKKER), hi Alex (Schneyder),
>>>
>>> On  Sa 11 Okt 2014 13:07:00 CEST, Alex DEKKER wrote:
>>>
>>>> As of Version: 1:6.7p1-1 of openssh-server, it appears that Debian
>>>> [and presumably upstream]'s sshd now has diffie-hellman-group1-sha1
>>>> disabled. This means that connections from x2goclient will fail.
>>>>
>>>> I was able to work around this by adding:
>>>>
>>>> KexAlgorithms
>>>> curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
>>>>
>>>>
>>>> to /etc/ssh/sshd_config, but obviously at some point support for
>>>> diffie-hellman-group1-sha1 is going to go away completely, rather than
>>>> just being disabled by default.
>>>
>>> Thanks for bringing this up. Did not realize so far.
>>>
>>> @Alex Schneyder: do you think you can find a fix for this. This actually
>>> is a release blocker of 4.0.3.0... And it endangers the status of X2Go
>>> Client in Debian, as well.
>>>
>>> Mike
> [...]
>
> Looking through the libssh git logs, it appears that libssh 0.6 was
> the first version to add support for a non-sha1 key exchange method,
> ecdh_sha2_nistp256 [1].
>
> 0.6 also added support for curve25519-sha256@libssh.org [1].
>
> In a few hours or so, I will test if using a libssh 0.6.x linked
> version of x2goclient fixes this bug.
>
> Jessie does include libssh 0.6.3 (Thanks to our DD, Mike#1)[2].
>
> -Mike#2

The issue is a non-issue on distributions with libssh 0.6.x provided.

See yesterday's post of mine to x2go-user [1].

Mike

[1] http://permalink.gmane.org/gmane.linux.terminal-server.x2go.user/2368


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Sat Nov 23 21:12:55 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.