From unknown Thu Mar 28 10:42:35 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#472: [X2Go-Dev] Bug#472: Bug#472: Debian now has diffie-hellman-group1-sha1 disabled Reply-To: Mike Gabriel , 472@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Fri, 17 Oct 2014 08:40:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 472 X-X2Go-PR-Package: x2goclient X-X2Go-PR-Keywords: Received: via spool by 472-submit@bugs.x2go.org id=B472.14135350641088 (code B ref 472); Fri, 17 Oct 2014 08:40:02 +0000 Received: (at 472) by bugs.x2go.org; 17 Oct 2014 08:37:44 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 9EF545DBC9 for <472@bugs.x2go.org>; Fri, 17 Oct 2014 10:37:42 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 06367C5E; Fri, 17 Oct 2014 10:37:42 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 9BF403BAD8; Fri, 17 Oct 2014 10:37:41 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XZGmioPSWUFx; Fri, 17 Oct 2014 10:37:41 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 5A73E3B92E; Fri, 17 Oct 2014 10:37:41 +0200 (CEST) Received: from m-031.informatik.uni-kiel.de (m-031.informatik.uni-kiel.de [134.245.254.31]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Fri, 17 Oct 2014 08:37:41 +0000 Date: Fri, 17 Oct 2014 08:37:41 +0000 Message-ID: <20141017083741.Horde.RkoCCGaWBHPsVWlZz-8Rcg1@mail.das-netzwerkteam.de> From: Mike Gabriel To: Michael DePaulo Cc: Oleksandr Shneyder , 472@bugs.x2go.org, Alex DEKKER , o.schneyder@phoca-gmbh.de References: <20141011204801.Horde.PMP6WPnVUe8IpbJWVualAQ4@mail.das-netzwerkteam.de> <543BD4D8.5060309@phoca-gmbh.de> In-Reply-To: User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 134.245.254.31 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Iceweasel/32.0 Content-Type: multipart/signed; boundary="=_enbT37MS-26Wvil0yBJe4A8"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_enbT37MS-26Wvil0yBJe4A8 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Alex, hi Mike#2, On Mo 13 Okt 2014 21:33:15 CEST, Michael DePaulo wrote: > On Mon, Oct 13, 2014 at 9:34 AM, Oleksandr Shneyder > wrote: >> And why is it a problem for X2Go? Is libssh not working any more? Then >> it should be fixed in libssh, not in x2go? >> >> Am 11.10.2014 22:48, schrieb Mike Gabriel: >>> Control: severity -1 important >>> >>> HI Alex (DEKKER), hi Alex (Schneyder), >>> >>> On Sa 11 Okt 2014 13:07:00 CEST, Alex DEKKER wrote: >>> >>>> As of Version: 1:6.7p1-1 of openssh-server, it appears that Debian >>>> [and presumably upstream]'s sshd now has diffie-hellman-group1-sha1 >>>> disabled. This means that connections from x2goclient will fail. >>>> >>>> I was able to work around this by adding: >>>> >>>> KexAlgorithms >>>> curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecd= h-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14= -sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 >>>> >>>> >>>> to /etc/ssh/sshd_config, but obviously at some point support for >>>> diffie-hellman-group1-sha1 is going to go away completely, rather than >>>> just being disabled by default. >>> >>> Thanks for bringing this up. Did not realize so far. >>> >>> @Alex Schneyder: do you think you can find a fix for this. This actuall= y >>> is a release blocker of 4.0.3.0... And it endangers the status of X2Go >>> Client in Debian, as well. >>> >>> Mike > [...] > > Looking through the libssh git logs, it appears that libssh 0.6 was > the first version to add support for a non-sha1 key exchange method, > ecdh_sha2_nistp256 [1]. > > 0.6 also added support for curve25519-sha256@libssh.org [1]. > > In a few hours or so, I will test if using a libssh 0.6.x linked > version of x2goclient fixes this bug. > > Jessie does include libssh 0.6.3 (Thanks to our DD, Mike#1)[2]. > > -Mike#2 The issue is a non-issue on distributions with libssh 0.6.x provided. See yesterday's post of mine to x2go-user [1]. Mike [1] http://permalink.gmane.org/gmane.linux.terminal-server.x2go.user/2368 --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_enbT37MS-26Wvil0yBJe4A8 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJUQNVUAAoJEJr0azAldxsxLJsP/RuRZA3Cp2WVKFR35czMG5Ng BdgQbKBF+DSRYsadjjJ6yWIgmgumkrYCIs1FDX5G86CBPgisVwNSboDFvD9uN1Qp B3q+SafulFd+7szoNb2zDE+t5N9sADfoeJJi/ixvK/VozcVxbue5QHmDu7MO9TFl oV8PcoInwvsytdqnEKk/XYi84g81mLVQXOKYQ3AqvIrx/zdoNyG/GC+csw+zymq2 VLNVi7YwYkZ5w4c/ANuXmVLzpAT0lRBQ+9QxlNN6INxkM/3493eOxoKkdd/K9q0e 4P6ya+X1q26Aarn/pEB3VNLl7o/EJITk7JcBkxAA3IC6UWKYY0uRStYxYANzqpr4 bx7TZ0nWugpXf4PpqgySJRNFI2gryCOS0k8VHialKPTiqZXT9anEsa/urDFt+ylz LdLdUhoAVezQ4Oz10mtC+2nthSEQr/GJUn2YQo78491BFVy1IfevuXpOUxet6Hxy cmyTMrfTsP2me74UBU9RhmhWX8FIu6E1R/8qDzNEE3gPd6IMyoJtq6LwRuw2TlB9 bstA1PCzMy714YDughnkMGpjxuFZd3EpLQYoTvBhNLIlZ78SrrcF+JQo2CctjbUU YKxJE7IqSC8VjckNVHwBuPd6xiHxeFwbbOQ9GXdu9aWP92SaXxCi0pIgxYzd9I9x p1xYRVMHWJFtSQKT3Wsz =8j4s -----END PGP SIGNATURE----- --=_enbT37MS-26Wvil0yBJe4A8--