For those who don't know about the issue with X2Go Client for Windows that is holding up its 4.0.5.1 release, upgrading cygwin sshd from 6.8p1-1 to 7.1p2-1 broke our folder sharing & printer sharing feature.
After I added the cygwin sshd logging feature, I see this in the sshd log file: Unable to negotiate with 127.0.0.1: no matching host key type found. ... http://pastebin.com/M7CeySQ9
After doing some research, it looks like this is the incompatible change: http://www.openssh.com/txt/release-7.0
- Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at http://www.openssh.com/legacy.html
What I am wondering is this: Are we limiting ourselves to ssh-dss-cert-* keys, or is sshfs limiting us?
-Mike
On 28.04.2016 03:26 PM, Mike DePaulo wrote:
We're limiting ourselves here (for no good reason, as far as I can tell. It just happen to be implemented that way.) #1003 is a request for RSA key support. Enabling DSA when starting sshd.exe is one possible workaround, either via command line or config file option.
I'll hook in RSA host key support at some time, but not right now and not on master. My bugfix/osx branch already contains a lot of WiP changes regarding sshd support as well, but isn't finished yet. Adding RSA host key support on master would make merging way more difficult for me.
Alternatively, if the newer version doesn't fix any security issues we are affected by, we could ship the older version for now.
Mihai
On Thu, Apr 28, 2016 at 10:02 PM, Mihai Moldovan <ionic@ionic.de> wrote:
Understood, I'll hold off.
Alternatively, if the newer version doesn't fix any security issues we are affected by, we could ship the older version for now.
In this case, I believe I should just re-add DSA support via the temporary cygwin sshd config file that we generate.
I would rather not hold back the entire cygwin bundle, or try to hold back sshd without holding back the rest of the cygwin bundle.
Thank you, -Mike
On Fri, Apr 29, 2016 at 8:44 AM, Mike DePaulo <mikedep333@gmail.com> wrote:
I am/was unfamiliar with how we use sshd on Linux and Mac OS X. I see that we start instances of sshd on both of them also.
The logic belongs in src/onmainwindow.cpp: ONMainWindow::generateEtcFiles() . Should I put the ssh-dss line below within the ifdef Q_OS_WIN block, or outside of it?
This is the line I would add to the config file: PubkeyAcceptedKeyTypes=+ssh-dss
-Mike
On 29.04.2016 03:01 PM, Mike DePaulo wrote:
I am/was unfamiliar with how we use sshd on Linux and Mac OS X. I see that we start instances of sshd on both of them also.
Yeah, we don't, that's the problem and exactly the reason why I started my work on this front. Ideally, I want to start private sshd processes on Windows, Linux and OS X always to not have to change global config files (like stuff in ~/.ssh/) and potentially mess these files up when undoing changes again.
It's WiP though an currently unfinished.
Doesn't matter, but please create a specific Windows-branch for this change. Given that it will only be used for the Windows release build, either way won't affect anything else.
This said, I should probably work more extensively on this feature, because even Linux distros updated to 7.0 and higher meanwhile...
Mihai
-
Mihai Moldovan -
Mike DePaulo