[X2Go-Dev] Bug#472: Bug#472: Bug#472: Debian now has diffie-hellman-group1-sha1 disabled

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Fri Oct 17 10:37:41 CEST 2014 

Hi Alex, hi Mike#2,

On  Mo 13 Okt 2014 21:33:15 CEST, Michael DePaulo wrote:

> On Mon, Oct 13, 2014 at 9:34 AM, Oleksandr Shneyder
> <o.shneyder at phoca-gmbh.de> wrote:
>> And why is it a problem for X2Go? Is libssh not working any more? Then
>> it should be fixed in libssh, not in x2go?
>>
>> Am 11.10.2014 22:48, schrieb Mike Gabriel:
>>> Control: severity -1 important
>>>
>>> HI Alex (DEKKER), hi Alex (Schneyder),
>>>
>>> On  Sa 11 Okt 2014 13:07:00 CEST, Alex DEKKER wrote:
>>>
>>>> As of Version: 1:6.7p1-1 of openssh-server, it appears that Debian
>>>> [and presumably upstream]'s sshd now has diffie-hellman-group1-sha1
>>>> disabled. This means that connections from x2goclient will fail.
>>>>
>>>> I was able to work around this by adding:
>>>>
>>>> KexAlgorithms
>>>> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
>>>>
>>>>
>>>> to /etc/ssh/sshd_config, but obviously at some point support for
>>>> diffie-hellman-group1-sha1 is going to go away completely, rather than
>>>> just being disabled by default.
>>>
>>> Thanks for bringing this up. Did not realize so far.
>>>
>>> @Alex Schneyder: do you think you can find a fix for this. This actually
>>> is a release blocker of 4.0.3.0... And it endangers the status of X2Go
>>> Client in Debian, as well.
>>>
>>> Mike
> [...]
>
> Looking through the libssh git logs, it appears that libssh 0.6 was
> the first version to add support for a non-sha1 key exchange method,
> ecdh_sha2_nistp256 [1].
>
> 0.6 also added support for curve25519-sha256 at libssh.org [1].
>
> In a few hours or so, I will test if using a libssh 0.6.x linked
> version of x2goclient fixes this bug.
>
> Jessie does include libssh 0.6.3 (Thanks to our DD, Mike#1)[2].
>
> -Mike#2

The issue is a non-issue on distributions with libssh 0.6.x provided.

See yesterday's post of mine to x2go-user [1].

Mike

[1] http://permalink.gmane.org/gmane.linux.terminal-server.x2go.user/2368


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20141017/479182fa/attachment.pgp>

More information about the x2go-dev mailing list