[X2Go-Dev] Bug#1202: kex error : no match for method mac algo client->server: server [hmac-sha2-256, hmac-sha2-512], client [hmac-sha1]

Mihai Moldovan ionic at ionic.de
Fri Sep 1 06:49:41 CEST 2017 

On 08/30/2017 09:09 PM, J. M. van Bilsen wrote:
> 
> Package: x2goclient 
> Version: 4.0.5.1-1

First off: I will likely close this issue report, since there's nothing we could
do about this. More about that later.


>  $ cat /etc/lsb-release 
> DISTRIB_ID=LinuxMint
> DISTRIB_RELEASE=18.1
> DISTRIB_CODENAME=serena
> DISTRIB_DESCRIPTION="Linux Mint 18.1 Serena"

So you're using Linux Mint 18.1. Am I correct to assume this is the Ubuntu-based
version?


>  $ dpkg --list | grep x2goclient
> ii  x2goclient                                                  4.0.5.1
> -1                                    amd64        X2Go Client
> application (Qt4)

Where is this package coming from? It doesn't seem to be from any of our
repositories, so the report is bogus at best and should have been reported upstream.

I'm not saying this to be mean, but merely because we have no control over this
repository and what it contains.

What would be more relevant in this situation is information about the libssh
(note: *not* libssh2) package.


> WARNING my assumption is this problem will be on all x2goclient
> programs.

It is and it is not. It highly depends on the libssh version x2goclient was
built against and uses at run time (though strictly speaking, as long as the
soversion is compatible, these two things can differ.)

Generally, and as I've explained countless times on mailing lists already, the
algorithms "supported" by X2Go Client boils down to what the underlying libssh
software supports. Sadly, this differs highly between versions. Older versions
(0.5.x and below) typically do not support a wide range of algorithms, may that
be MAC or even key algorithms.

Support for these SHA2-based type MAC algorithms, according to
https://www.libssh.org/features/, is available, but typically only in versions
0.7.x and higher. I'd have to look up the actual version number that brought the
changes, but chances are that your libssh version is just too old.


> After change of the security settings on sshd we cannot connect using
> x2go.
> Using portforwarding ssh -L 9999:localhost:22 someremotehost then
> letting x2goclient connect to localhost port 9999 works.
>
> Settings in sshd_config
> 
> MACs hmac-sha2-256,hmac-sha2-512

Yeah, you disabled SHA1-based MACs. No wonder you see this problem...


> kex error : no match for method mac algo client->server: server [hmac-
> sha2-256,hmac-sha2-512], client [hmac-sha1]
> 
> My assumption is client is configured using hmac-sha1 as default

Actual explanation is above. If SHA2-based MACs were supported by your libssh
version, it would have worked.


> Problem does not surface using ssh or ssh port forwarding.
> 
> Problem can be easy reproduced using raspberry with mathe and MACs
> hmac-sha2-256,hmac-sha2-512 in sshd_config
> 
> Problem surface also with different ssh proxy servers having the MACs
> setting. As stated before normal connection on ssh or using port
> forwarding no problem.

And that's for another reason - OpenSSH is a completely different implementation
of the SSH protocol. Since X2Go Client is not using OpenSSH, but libssh, that
test sadly isn't too meaningful.



Mihai

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20170901/abbcc10a/attachment.sig>

More information about the x2go-dev mailing list