Re: SSH tunnel key exchange methods

On Wed, Dec 2, 2015 at 3:27 PM, Akshay Joshi <akshay(dot)joshi(at)enterprisedb(dot)com>
wrote:

>
>
> On Wed, Dec 2, 2015 at 3:20 PM, Dave Page <dpage(at)pgadmin(dot)org> wrote:
>
>> Hi
>>
>> On Wed, Dec 2, 2015 at 9:19 AM, Akshay Joshi <
>> akshay(dot)joshi(at)enterprisedb(dot)com> wrote:
>>
>>> Hi Dave
>>>
>>> I have updated the *libssh2* library with the latest available code on
>>> their git repository. The new code used "diffie-hellman-group-exchange-sha256" algorithm for
>>> key exchange and they also fixed some memory leak. I have verified it by
>>> putting the breakpoint in the libssh2 code, so when we called "
>>> libssh2_session_init()" it will automatically call "static int diffie_
>>> hellman_sha256(...)" function, but I don't know exactly how to identify
>>> the key exchange method (sha1 or sha256) used by the latest libssh2 library.
>>>
>>> I have tested the pgadmin3 after updating the libssh2 library on CentOS
>>> 6.5 (64 bit) and it works fine. I have also modified the code to add
>>> human readable error message returned by the library. Attached is the
>>> patch file. Can you please review it and if it looks good can you please
>>> commit the code.
>>>
>>
>> I'm seeing the following build error on OS X 10.7:
>>
>> depbase=`echo libssh2/agent.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
>> ccache gcc -Qunused-arguments -DHAVE_CONFIG_H -I. -I..
>> -I../pgadmin/include/libssh2 -I../pgadmin/include
>> -I../pgadmin/include/libssh2 -I/usr/local/pgsql-9.5/include
>> -I/usr/local/pgsql-9.5/include/server -I/usr/local/pgsql-9.5/include
>> -DPG_SSL -DHAVE_CONNINFO_PARSE
>> -I/usr/local/lib/wx/include/mac-unicode-release-static-2.8
>> -I/usr/local/include/wx-2.8 -D_FILE_OFFSET_BITS=64 -D_LARGE_FILES
>> -D__WXMAC__ -DEMBED_XRC -arch i386 -I/usr/include/libxml2
>> -I/opt/local/include/libxml2 -DHAVE_OPENSSL_CRYPTO -O2 -MT libssh2/agent.o
>> -MD -MP -MF $depbase.Tpo -c -o libssh2/agent.o libssh2/agent.c &&\
>> mv -f $depbase.Tpo $depbase.Po
>> In file included from ../pgadmin/include/libssh2/libssh2_priv.h:136,
>> from libssh2/agent.c:41:
>> ../pgadmin/include/libssh2/crypto.h:53: error: expected ‘)’ before ‘*’
>> token
>> ../pgadmin/include/libssh2/crypto.h:69: error: expected ‘)’ before ‘*’
>> token
>> ../pgadmin/include/libssh2/crypto.h:73: error: expected ‘)’ before ‘*’
>> token
>> ../pgadmin/include/libssh2/crypto.h:78: error: expected declaration
>> specifiers or ‘...’ before ‘libssh2_rsa_ctx’
>> ../pgadmin/include/libssh2/crypto.h:83: error: expected ‘)’ before ‘*’
>> token
>> ../pgadmin/include/libssh2/crypto.h:115: error: expected ‘)’ before ‘*’
>> token
>> ../pgadmin/include/libssh2/crypto.h:120: error: expected ‘)’ before ‘*’
>> token
>> In file included from libssh2/agent.c:41:
>> ../pgadmin/include/libssh2/libssh2_priv.h:240: error:
>> ‘SHA256_DIGEST_LENGTH’ undeclared here (not in a function)
>> ../pgadmin/include/libssh2/libssh2_priv.h:245: error: expected
>> specifier-qualifier-list before ‘_libssh2_bn_ctx’
>> ../pgadmin/include/libssh2/libssh2_priv.h:267: error: expected
>> specifier-qualifier-list before ‘_libssh2_bn’
>> ../pgadmin/include/libssh2/libssh2_priv.h:604: error: ‘SHA_DIGEST_LENGTH’
>> undeclared here (not in a function)
>> ../pgadmin/include/libssh2/libssh2_priv.h:899: error: expected
>> specifier-qualifier-list before ‘_libssh2_cipher_type’
>> libssh2/agent.c: In function ‘agent_connect_unix’:
>> libssh2/agent.c:150: warning: assignment makes pointer from integer
>> without a cast
>> make[3]: *** [libssh2/agent.o] Error 1
>> make[2]: *** [all] Error 2
>> make[1]: *** [all-recursive] Error 1
>> make: *** [all] Error 2
>>
>
> I have modified the configure.ac.in and added "-DLIBSSH2_OPENSSL" to
> solve the above. You need to run the configure command again.
>
You also needs to rerun the bootstrap script.

--

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company
<http://www.enterprisedb.com>

*http://www.linkedin.com/in/asheshvashi*
<http://www.linkedin.com/in/asheshvashi>

>
>>
>>
>>>
>>> Sven, how you have identified the key exchange algorithm used by
>>> libssh2, is there any way to identify using fingerprint or key??
>>>
>>> On Mon, Nov 30, 2015 at 6:38 PM, Dave Page <dpage(at)pgadmin(dot)org> wrote:
>>>
>>>> Ok, thanks Akshay.
>>>>
>>>> --
>>>> Dave Page
>>>> Blog: http://pgsnake.blogspot.com
>>>> Twitter: @pgsnake
>>>>
>>>> EnterpriseDB UK:http://www.enterprisedb.com
>>>> The Enterprise PostgreSQL Company
>>>>
>>>> On 30 Nov 2015, at 12:57, Akshay Joshi <akshay(dot)joshi(at)enterprisedb(dot)com>
>>>> wrote:
>>>>
>>>> Hi Dave
>>>>
>>>> On Mon, Nov 30, 2015 at 10:41 AM, Akshay Joshi <akshay.joshi@
>>>> enterprisedb.com> wrote:
>>>>
>>>>> Hi Dave
>>>>>
>>>>> On Fri, Nov 27, 2015 at 3:01 PM, Dave Page <dpage(at)pgadmin(dot)org> wrote:
>>>>>
>>>>>> On Fri, Nov 27, 2015 at 9:23 AM, Sven <svoop_6cedifwf9e(at)delirium(dot)ch>
>>>>>> wrote:
>>>>>> >> The key exchange methods offered when opening an SSH tunnel are all
>>>>>> >> SHA1 and therefore too weak:
>>>>>> >>
>>>>>> >> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching
>>>>>> >> key exchange method found. Their offer:
>>>>>> >> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,
>>>>>> >> diffie-hellman-group1-sha1 [preauth]
>>>>>> >
>>>>>> > Any news on this? If there's no easy way to add safer kexes, I
>>>>>> suggest
>>>>>> > you disable the SSH feature altogether. SHA1 is dead and IMO nobody
>>>>>> > should trust a connection established with SHA1 kexes in order to
>>>>>> talk
>>>>>> > to databases.
>>>>>>
>>>>>> Akshay, you know that code best of all. How do we enable safer kexes?
>>>>>>
>>>>>
>>>>> Today I'll look into it on priority and update accordingly.
>>>>>
>>>>
>>>> I have found that "diffie-hellman-group-exchange-sha256"
>>>> support has been added to the libssh2 code on September 24, it's not
>>>> released yet. Please check https://github.com/libssh2/libssh2/pull/48 .
>>>> Today I have tried to update the libssh2, but facing some compilation
>>>> issues which needs to be fixed. I am working on it and then check do we
>>>> need to change our logic or libssh2 will automatically used "diffie-
>>>> hellman-group-exchange-sha256".
>>>>
>>>>
>>>>>
>>>>>> --
>>>>>> Dave Page
>>>>>> Blog: http://pgsnake.blogspot.com
>>>>>> Twitter: @pgsnake
>>>>>>
>>>>>> EnterpriseDB UK: http://www.enterprisedb.com
>>>>>> The Enterprise PostgreSQL Company
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Akshay Joshi*
>>>>> *Principal Software Engineer *
>>>>>
>>>>>
>>>>>
>>>>> *Phone: +91 20-3058-9517 <%2B91%2020-3058-9517>Mobile: +91
>>>>> 976-788-8246*
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> *Akshay Joshi*
>>>> *Principal Software Engineer *
>>>>
>>>>
>>>>
>>>> *Phone: +91 20-3058-9517 <%2B91%2020-3058-9517>Mobile: +91 976-788-8246*
>>>>
>>>>
>>>
>>>
>>> --
>>> *Akshay Joshi*
>>> *Principal Software Engineer *
>>>
>>>
>>>
>>> *Phone: +91 20-3058-9517 <%2B91%2020-3058-9517>Mobile: +91 976-788-8246*
>>>
>>
>>
>>
>> --
>> Dave Page
>> Blog: http://pgsnake.blogspot.com
>> Twitter: @pgsnake
>>
>> EnterpriseDB UK: http://www.enterprisedb.com
>> The Enterprise PostgreSQL Company
>>
>
>
>
> --
> *Akshay Joshi*
> *Principal Software Engineer *
>
>
>
> *Phone: +91 20-3058-9517Mobile: +91 976-788-8246*
>