X2Go Bug report logs - #472
Upgrade SSH key exchange and message authentication code from SHA1 to SHA2

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Aurélien Grosdidier <aurelien.grosdidier@gmail.com>

Date: Thu, 3 Apr 2014 14:35:02 UTC

Severity: important

Found in version 4.0.1.3-1

Full log


Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

Received: (at submit) by bugs.x2go.org; 3 Apr 2014 14:30:02 +0000
From aurelien.grosdidier@gmail.com  Thu Apr  3 16:30:01 2014
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,FREEMAIL_FROM,
	T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172])
	by ymir (Postfix) with ESMTPS id 30E455DB20
	for <submit@bugs.x2go.org>; Thu,  3 Apr 2014 16:30:01 +0200 (CEST)
Received: by mail-wi0-f172.google.com with SMTP id hi2so7869730wib.11
        for <submit@bugs.x2go.org>; Thu, 03 Apr 2014 07:30:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:subject
         :content-type;
        bh=HXoQRUPGNr9l1QkPH7wuHBrSnbhn1ZVQB/RMHet0RRI=;
        b=wWKiYJ+XWwbNbSWiLAlL+1vWbh3AIORTybKd+JbUBS1Q8XDUheAK4ipyysJr3d6eTz
         +zsAUe6xukSUuCYAxU2GT+Fz4HfQJ9AtdrQy8vzKhVewuc7c+WFRmU/6D7LaAalqQHft
         aQ0kncDnLfkeL6qF+H+LiuNU9kO1vPsEnYFBiNhWfcESPrOlzsPktx6FryWcEV2JMl8M
         rzUVve9epr1qPGxWzljw6tOhkS3phPknZ0lenQd8LfhnwCjJbo+AUe9xXWtS7nV4AuxS
         QuQMKGbqTv+0E7SKjnS9Eh3orH5VSLv57fgOA0gfIi7LCLjX4gdCQ5Y4JAgZGniJsWAN
         QmCg==
X-Received: by 10.180.39.173 with SMTP id q13mr11731773wik.26.1396535400581;
        Thu, 03 Apr 2014 07:30:00 -0700 (PDT)
Received: from [192.168.0.10] (latitude77.org. [78.212.28.115])
        by mx.google.com with ESMTPSA id t1sm1435905wia.1.2014.04.03.07.29.58
        for <submit@bugs.x2go.org>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Thu, 03 Apr 2014 07:29:58 -0700 (PDT)
Message-ID: <533D7062.2090803@gmail.com>
Date: Thu, 03 Apr 2014 16:29:54 +0200
From: Aurélien Grosdidier
 <aurelien.grosdidier@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: submit@bugs.x2go.org
Subject: Upgrade SSH key exchange and message authentication code from SHA1
 to SHA2
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="hQWVFn6DLvLwSm5T57tun55jOUBNGtnJN"
[Message part 1 (text/plain, inline)]
Package: x2goclient
Version: 4.0.1.3-1

When establishing the connection to a server, x2goclient rely on
diffie-hellman-group1-sha1 and hmac-sha1 as key exchange algorithm and
message authentication code, respectively. Unfortunately, SHA1 can't be
considered that safe:

- https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
- http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html

As a consequence, the connection of x2goclient to an hardened SSH server
(ie. not supporting SHA1) fails:

 kex error : did not find one of algos diffie-hellman-group1-sha1 in
list ...
 kex error : did not find one of algos hmac-sha1 in list ...

This problem could be solved:
- either by using SHA2 KexAlgorithms and MACs in x2goclient
- or by allowing users to choose between SHA1 or SHA2 hash functions

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 14:45:23 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.