[X2Go-Dev] Bug#472: Bug#472: Bug#472: Debian now has diffie-hellman-group1-sha1 disabled

[Michael DePaulo]

On Mon, Oct 13, 2014 at 9:34 AM, Oleksandr Shneyder
<o.shneyder at phoca-gmbh.de> wrote:
> And why is it a problem for X2Go? Is libssh not working any more? Then
> it should be fixed in libssh, not in x2go?
>
> Am 11.10.2014 22:48, schrieb Mike Gabriel:
>> Control: severity -1 important
>>
>> HI Alex (DEKKER), hi Alex (Schneyder),
>>
>> On  Sa 11 Okt 2014 13:07:00 CEST, Alex DEKKER wrote:
>>
>>> As of Version: 1:6.7p1-1 of openssh-server, it appears that Debian
>>> [and presumably upstream]'s sshd now has diffie-hellman-group1-sha1
>>> disabled. This means that connections from x2goclient will fail.
>>>
>>> I was able to work around this by adding:
>>>
>>> KexAlgorithms
>>> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
>>>
>>>
>>> to /etc/ssh/sshd_config, but obviously at some point support for
>>> diffie-hellman-group1-sha1 is going to go away completely, rather than
>>> just being disabled by default.
>>
>> Thanks for bringing this up. Did not realize so far.
>>
>> @Alex Schneyder: do you think you can find a fix for this. This actually
>> is a release blocker of 4.0.3.0... And it endangers the status of X2Go
>> Client in Debian, as well.
>>
>> Mike
[...]

Looking through the libssh git logs, it appears that libssh 0.6 was
the first version to add support for a non-sha1 key exchange method,
ecdh_sha2_nistp256 [1].

0.6 also added support for curve25519-sha256 at libssh.org [1].

In a few hours or so, I will test if using a libssh 0.6.x linked
version of x2goclient fixes this bug.

Jessie does include libssh 0.6.3 (Thanks to our DD, Mike#1)[2].

-Mike#2

[1] http://git.libssh.org/projects/libssh.git/log/?id=libssh-0.6.0&qt=grep&q=sha2
[2] https://packages.debian.org/jessie/libssh-4