As of Version: 1:6.7p1-1 of openssh-server, it appears that Debian [and presumably upstream]'s sshd now has diffie-hellman-group1-sha1 disabled. This means that connections from x2goclient will fail.
I was able to work around this by adding:
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
to /etc/ssh/sshd_config, but obviously at some point support for diffie-hellman-group1-sha1 is going to go away completely, rather than just being disabled by default.
Control: severity -1 important
HI Alex (DEKKER), hi Alex (Schneyder),
On Sa 11 Okt 2014 13:07:00 CEST, Alex DEKKER wrote:
As of Version: 1:6.7p1-1 of openssh-server, it appears that Debian
[and presumably upstream]'s sshd now has diffie-hellman-group1-sha1
disabled. This means that connections from x2goclient will fail.I was able to work around this by adding:
KexAlgorithms
curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1to /etc/ssh/sshd_config, but obviously at some point support for
diffie-hellman-group1-sha1 is going to go away completely, rather
than just being disabled by default.
Thanks for bringing this up. Did not realize so far.
@Alex Schneyder: do you think you can find a fix for this. This
actually is a release blocker of 4.0.3.0... And it endangers the
status of X2Go Client in Debian, as well.
Mike
--
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
And why is it a problem for X2Go? Is libssh not working any more? Then it should be fixed in libssh, not in x2go?
Am 11.10.2014 22:48, schrieb Mike Gabriel:
Control: severity -1 important
HI Alex (DEKKER), hi Alex (Schneyder),
On Sa 11 Okt 2014 13:07:00 CEST, Alex DEKKER wrote:
As of Version: 1:6.7p1-1 of openssh-server, it appears that Debian [and presumably upstream]'s sshd now has diffie-hellman-group1-sha1 disabled. This means that connections from x2goclient will fail.
I was able to work around this by adding:
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
to /etc/ssh/sshd_config, but obviously at some point support for diffie-hellman-group1-sha1 is going to go away completely, rather than just being disabled by default.
Thanks for bringing this up. Did not realize so far.
@Alex Schneyder: do you think you can find a fix for this. This actually is a release blocker of 4.0.3.0... And it endangers the status of X2Go Client in Debian, as well.
Mike
--
Oleksandr Shneyder | Email: o.shneyder@phoca-gmbh.de phoca GmbH | Tel. : 0911 - 14870374 0 Ludwig-Feuerbach-str. 18 | Fax. : 0911 - 14870374 9 D-90489 Nürnberg | Mobil: 0163 - 49 64 461
Geschäftsführung: Dipl.-Inf. Oleksandr Shneyder
Amtsgericht München | http://www.phoca-gmbh.de HRB 196 658 | http://www.x2go.org USt-IdNr.: DE281977973
On Mon, Oct 13, 2014 at 9:34 AM, Oleksandr Shneyder <o.shneyder@phoca-gmbh.de> wrote:
And why is it a problem for X2Go? Is libssh not working any more? Then it should be fixed in libssh, not in x2go?
Am 11.10.2014 22:48, schrieb Mike Gabriel:
Control: severity -1 important
HI Alex (DEKKER), hi Alex (Schneyder),
On Sa 11 Okt 2014 13:07:00 CEST, Alex DEKKER wrote:
As of Version: 1:6.7p1-1 of openssh-server, it appears that Debian [and presumably upstream]'s sshd now has diffie-hellman-group1-sha1 disabled. This means that connections from x2goclient will fail.
I was able to work around this by adding:
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
to /etc/ssh/sshd_config, but obviously at some point support for diffie-hellman-group1-sha1 is going to go away completely, rather than just being disabled by default.
Thanks for bringing this up. Did not realize so far.
@Alex Schneyder: do you think you can find a fix for this. This actually is a release blocker of 4.0.3.0... And it endangers the status of X2Go Client in Debian, as well.
Mike [...]
Looking through the libssh git logs, it appears that libssh 0.6 was the first version to add support for a non-sha1 key exchange method, ecdh_sha2_nistp256 [1].
0.6 also added support for curve25519-sha256@libssh.org [1].
In a few hours or so, I will test if using a libssh 0.6.x linked version of x2goclient fixes this bug.
Jessie does include libssh 0.6.3 (Thanks to our DD, Mike#1)[2].
-Mike#2
[1] http://git.libssh.org/projects/libssh.git/log/?id=libssh-0.6.0&qt=grep&q=sha2 [2] https://packages.debian.org/jessie/libssh-4
On Mon, Oct 13, 2014 at 3:33 PM, Michael DePaulo <mikedep333@gmail.com> wrote:
[...]
Looking through the libssh git logs, it appears that libssh 0.6 was the first version to add support for a non-sha1 key exchange method, ecdh_sha2_nistp256 [1].
0.6 also added support for curve25519-sha256@libssh.org [1].
In a few hours or so, I will test if using a libssh 0.6.x linked version of x2goclient fixes this bug.
Jessie does include libssh 0.6.3 (Thanks to our DD, Mike#1)[2].
-Mike#2
[1] http://git.libssh.org/projects/libssh.git/log/?id=libssh-0.6.0&qt=grep&q=sha2 [2] https://packages.debian.org/jessie/libssh-4
The bad news: I can confirm that X2Go Client for Windows 4.0.2.1+hotfix+build6 (and all prior versions/builds) ARE AFFECTED by this bug and ARE UNABLE to connect to a Debian Jessie server with openssh-server 6.7p1-2 (from sid) installed. Said version of X2go Client for Windows bundles and uses libssh 0.5.5.
The good news: I can confirm that X2Go Client for Windows 4.0.3.0 nightly builds (mingw 4.8 tested) ARE NOT AFFECTED by this bug and ARE ABLE to connect to a Debian Jessie server with openssh-server 6.7p1-2 (from sid) installed. Said version of X2Go Client bundles and uses libssh 0.6.3.
See bug #590 for the details on X2Go Client for Windows having libssh upgraded to 0.6.x during 4.0.3.0's development cycle.
-Mike#2
Hi Alex, hi Mike#2,
On Mo 13 Okt 2014 21:33:15 CEST, Michael DePaulo wrote:
On Mon, Oct 13, 2014 at 9:34 AM, Oleksandr Shneyder <o.shneyder@phoca-gmbh.de> wrote:
And why is it a problem for X2Go? Is libssh not working any more? Then it should be fixed in libssh, not in x2go?
Am 11.10.2014 22:48, schrieb Mike Gabriel:
Control: severity -1 important
HI Alex (DEKKER), hi Alex (Schneyder),
On Sa 11 Okt 2014 13:07:00 CEST, Alex DEKKER wrote:
As of Version: 1:6.7p1-1 of openssh-server, it appears that Debian [and presumably upstream]'s sshd now has diffie-hellman-group1-sha1 disabled. This means that connections from x2goclient will fail.
I was able to work around this by adding:
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
to /etc/ssh/sshd_config, but obviously at some point support for diffie-hellman-group1-sha1 is going to go away completely, rather than just being disabled by default.
Thanks for bringing this up. Did not realize so far.
@Alex Schneyder: do you think you can find a fix for this. This actually is a release blocker of 4.0.3.0... And it endangers the status of X2Go Client in Debian, as well.
Mike [...]
Looking through the libssh git logs, it appears that libssh 0.6 was the first version to add support for a non-sha1 key exchange method, ecdh_sha2_nistp256 [1].
0.6 also added support for curve25519-sha256@libssh.org [1].
In a few hours or so, I will test if using a libssh 0.6.x linked version of x2goclient fixes this bug.
Jessie does include libssh 0.6.3 (Thanks to our DD, Mike#1)[2].
-Mike#2
The issue is a non-issue on distributions with libssh 0.6.x provided.
See yesterday's post of mine to x2go-user [1].
Mike
[1] http://permalink.gmane.org/gmane.linux.terminal-server.x2go.user/2368
--
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
-
Alex DEKKER -
Michael DePaulo -
Mike Gabriel -
Oleksandr Shneyder