X2Go Bug report logs - #472
Upgrade SSH key exchange and message authentication code from SHA1 to SHA2

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Aurélien Grosdidier <aurelien.grosdidier@gmail.com>

Date: Thu, 3 Apr 2014 14:35:02 UTC

Severity: important

Found in version 4.0.1.3-1

Full log

Message #32 received at 472@bugs.x2go.org (full text, mbox, reply):

Received: (at 472) by bugs.x2go.org; 13 Oct 2014 23:22:12 +0000
From mikedep333@gmail.com  Tue Oct 14 01:22:11 2014
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,FREEMAIL_FROM,
	T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 7BA385E09F
	for <472@bugs.x2go.org>; Tue, 14 Oct 2014 01:22:11 +0200 (CEST)
Received: by mail-wi0-f178.google.com with SMTP id h11so5175914wiw.5
        for <472@bugs.x2go.org>; Mon, 13 Oct 2014 16:22:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=arXx57tNVITzpHGwKyCRqgtwHbnaSL61D6yaFKgHLdQ=;
        b=SsXfKBvRlxDG5sb7BwoC7hSNXR5RCp4oGFNAiGCgi8luiZT0HXWHefeOMgjS9Vzp2j
         ccZ2pTmatjrlaMFnASIfrSiBYIod2cUNjRWxFNYhsFwkMEu1+WXHBKad4fhtjUqdTBEB
         hN+cbNmv0HHNC3S+qcVYOvfXmYz2Ho5b4gH47BHaHw7aEkVaCHSwa/yE2yFhrF0ywTok
         7sy30TI+AO8g7ClsoZekIT5JfjbjpP3083J9EuLednXVY6goubwOodruomhfeWV/UGSA
         1B65xd7+7LGnrB2lKmRAsqcD3yZxi+2dwZMfc+atq1BwKZpvFwjHR++6D2sWPs2F6++V
         OKpA==
MIME-Version: 1.0
X-Received: by 10.194.61.51 with SMTP id m19mr1294131wjr.15.1413242531099;
 Mon, 13 Oct 2014 16:22:11 -0700 (PDT)
Received: by 10.180.211.11 with HTTP; Mon, 13 Oct 2014 16:22:11 -0700 (PDT)
In-Reply-To: <CAMKht8jV5zW9EtiwHBy2W3WzayBdDQ+AEiR4vTWmyAoEmoVb9g@mail.gmail.com>
References: <20141011204801.Horde.PMP6WPnVUe8IpbJWVualAQ4@mail.das-netzwerkteam.de>
	<543BD4D8.5060309@phoca-gmbh.de>
	<CAMKht8jV5zW9EtiwHBy2W3WzayBdDQ+AEiR4vTWmyAoEmoVb9g@mail.gmail.com>
Date: Mon, 13 Oct 2014 19:22:11 -0400
Message-ID: <CAMKht8jFv9iVvB-L9MQWSu-xczOwnEQgZM9S=b5Mp1GEgMmE1g@mail.gmail.com>
Subject: Re: [X2Go-Dev] Bug#472: Bug#472: Bug#472: Debian now has
 diffie-hellman-group1-sha1 disabled
From: Michael DePaulo <mikedep333@gmail.com>
To: Oleksandr Shneyder <o.shneyder@phoca-gmbh.de>, 472@bugs.x2go.org, 
	Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: o.schneyder@phoca-gmbh.de, Alex DEKKER <bugs@ale.cx>
Content-Type: text/plain; charset=UTF-8

On Mon, Oct 13, 2014 at 3:33 PM, Michael DePaulo <mikedep333@gmail.com> wrote:
> [...]
>
> Looking through the libssh git logs, it appears that libssh 0.6 was
> the first version to add support for a non-sha1 key exchange method,
> ecdh_sha2_nistp256 [1].
>
> 0.6 also added support for curve25519-sha256@libssh.org [1].
>
> In a few hours or so, I will test if using a libssh 0.6.x linked
> version of x2goclient fixes this bug.
>
> Jessie does include libssh 0.6.3 (Thanks to our DD, Mike#1)[2].
>
> -Mike#2
>
> [1] http://git.libssh.org/projects/libssh.git/log/?id=libssh-0.6.0&qt=grep&q=sha2
> [2] https://packages.debian.org/jessie/libssh-4

The bad news:
I can confirm that X2Go Client for Windows 4.0.2.1+hotfix+build6 (and
all prior versions/builds) ARE AFFECTED by this bug and ARE UNABLE to
connect to a Debian Jessie server with openssh-server 6.7p1-2 (from
sid) installed. Said version of X2go Client for Windows bundles and
uses libssh 0.5.5.

The good news:
I can confirm that X2Go Client for Windows 4.0.3.0 nightly builds
(mingw 4.8 tested) ARE NOT AFFECTED by this bug and ARE ABLE to
connect to a Debian Jessie server with openssh-server 6.7p1-2 (from
sid) installed. Said version of X2Go Client bundles and uses libssh
0.6.3.

See bug #590 for the details on X2Go Client for Windows having libssh
upgraded to 0.6.x during 4.0.3.0's development cycle.

-Mike#2

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Apr 19 12:22:05 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.