Hi all,
openSSH 6.7 has just entered Debian unstable and will be in Debian
jessie soon. It will probably land in other distributions rather
sooner than later.
As the openSSH developers have--by default--disabled several kex
algorithm in the latest openSSH 6.7 release, X2Go Client on older
systems (Debian wheezy, Ubuntu 14.04, etc.) will fail connecting to
those machines.
""" (This probably is the error message X2Go Client shows on your screen...)
X2Go Client reports: kex error : did not find one of algos
diffie-hellman-group1-sha1 in list
curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 for kex
algos
"""
The issue can be addressed in two ways...
OPTION 1:
If you only have control of the client, you may get the issue resolved
by backporting a libssh 0.6.3 version. Consult your distribution's
build tools to make this happen.
I will checkout what we as X2Go upstream can provide for you in our
package repositories without breaking other parts of your system
(older applications using libssh << 0.6.0 are very likely to break
with that newer libssh).
OPTION 2:
If you have control of the server, then you may want to re-enable the
mode-insecure, older, by-default-disabled algos. From the sshd_config
man page in openSSH 6.7:
"""
KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Multiple
algorithms must be comma-separated. The supported
algorithms are:
curve25519-sha256@libssh.org
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
The default is:
curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group14-sha1"""
What you probably have to add to the KexAlgorithms parameter in
/etc/ssh/sshd_config are these additional algos:
diffie-hellman-group1-sha1 and diffie-hellman-group-exchange-sha1.
"""
KexAlgorithms
curve25519-sha256@libssh.org,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
"""
If you use the KexAlgorithms option in sshd_config, make sure that you:
o also add all the default algos o restart openSSH server on your server and try a second login while you are still logged in with another session (in case you broker something by editing sshd_config)
Greets, Mike
-- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Windows users,
See inline comment
On Thu, Oct 16, 2014 at 11:41 AM, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
Hi all,
openSSH 6.7 has just entered Debian unstable and will be in Debian jessie soon. It will probably land in other distributions rather sooner than later.
As the openSSH developers have--by default--disabled several kex algorithm in the latest openSSH 6.7 release, X2Go Client on older systems (Debian wheezy, Ubuntu 14.04, etc.) will fail connecting to those machines.
""" (This probably is the error message X2Go Client shows on your screen...)
X2Go Client reports: kex error : did not find one of algos diffie-hellman-group1-sha1 in list curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 for kex algos
"""
The issue can be addressed in two ways...
OPTION 1:
If you only have control of the client, you may get the issue resolved by backporting a libssh 0.6.3 version. Consult your distribution's build tools to make this happen.
I will checkout what we as X2Go upstream can provide for you in our package repositories without breaking other parts of your system (older applications using libssh << 0.6.0 are very likely to break with that newer libssh).
I just released X2Go Client for Windows 4.0.3.0-20141021 with libssh 0.6.3 bundled. http://code.x2go.org/releases/binary-win32/x2goclient/releases/
OPTION 2:
If you have control of the server, then you may want to re-enable the mode-insecure, older, by-default-disabled algos. From the sshd_config man page in openSSH 6.7:
""" KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. The supported algorithms are:
curve25519-sha256@libssh.org diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 The default is: curve25519-sha256@libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1"""
What you probably have to add to the KexAlgorithms parameter in /etc/ssh/sshd_config are these additional algos: diffie-hellman-group1-sha1 and diffie-hellman-group-exchange-sha1.
""" KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 """
If you use the KexAlgorithms option in sshd_config, make sure that you:
o also add all the default algos o restart openSSH server on your server and try a second login while you are still logged in with another session (in case you broker something by editing sshd_config)
Greets, Mike
-- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
x2go-user mailing list x2go-user@lists.x2go.org http://lists.x2go.org/listinfo/x2go-user
-
Michael DePaulo -
Mike Gabriel