[X2Go-User] X2Go Server / X2Go Client with openSSH 6.7 (Debian jessie et al.)

[Mike Gabriel]

Hi all,

openSSH 6.7 has just entered Debian unstable and will be in Debian  
jessie soon. It will probably land in other distributions rather  
sooner than later.

As the openSSH developers have--by default--disabled several kex  
algorithm in the latest openSSH 6.7 release, X2Go Client on older  
systems (Debian wheezy, Ubuntu 14.04, etc.) will fail connecting to  
those machines.

""" (This probably is the error message X2Go Client shows on your screen...)

X2Go Client reports: kex error : did not find one of algos  
diffie-hellman-group1-sha1 in list  
curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 for kex  
algos

"""

The issue can be addressed in two ways...

OPTION 1:
---------
If you only have control of the client, you may get the issue resolved  
by backporting a libssh 0.6.3 version. Consult your distribution's  
build tools to make this happen.

I will checkout what we as X2Go upstream can provide for you in our  
package repositories without breaking other parts of your system  
(older applications using libssh << 0.6.0 are very likely to break  
with that newer libssh).


OPTION 2:
---------
If you have control of the server, then you may want to re-enable the  
mode-insecure, older, by-default-disabled algos. From the sshd_config  
man page in openSSH 6.7:

"""
      KexAlgorithms
              Specifies the available KEX (Key Exchange) algorithms.  Multiple
              algorithms must be comma-separated.  The supported  
algorithms are:

                    curve25519-sha256 at libssh.org
                    diffie-hellman-group1-sha1
                    diffie-hellman-group14-sha1
                    diffie-hellman-group-exchange-sha1
                    diffie-hellman-group-exchange-sha256
                    ecdh-sha2-nistp256
                    ecdh-sha2-nistp384
                    ecdh-sha2-nistp521

              The default is:

                    curve25519-sha256 at libssh.org,
                    ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
                    diffie-hellman-group-exchange-sha256,
                    diffie-hellman-group14-sha1
"""

What you probably have to add to the KexAlgorithms parameter in  
/etc/ssh/sshd_config are these additional algos:  
diffie-hellman-group1-sha1 and diffie-hellman-group-exchange-sha1.

"""
KexAlgorithms  
curve25519-sha256 at libssh.org,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
"""

If you use the KexAlgorithms option in sshd_config, make sure that you:

   o also add all the default algos
   o restart openSSH server on your server and try a second login
     while you are still logged in with another session (in case you
     broker something by editing sshd_config)

Greets,
Mike

--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-user/attachments/20141016/db0f3cd6/attachment.pgp>