Re: [pgadmin-support] SSH tunnel key exchange methods

Hi Dave

I have updated the *libssh2* library with the latest available code on
their git repository. The new code used
"diffie-hellman-group-exchange-sha256" algorithm for
key exchange and they also fixed some memory leak. I have verified it by
putting the breakpoint in the libssh2 code, so when we called "
libssh2_session_init()" it will automatically call "static int diffie_
hellman_sha256(...)" function, but I don't know exactly how to identify the
key exchange method (sha1 or sha256) used by the latest libssh2 library.

I have tested the pgadmin3 after updating the libssh2 library on CentOS 6.5
(64 bit) and it works fine. I have also modified the code to add
human readable error message returned by the library. Attached is the patch
file. Can you please review it and if it looks good can you please commit
the code.

Sven, how you have identified the key exchange algorithm used by libssh2,
is there any way to identify using fingerprint or key??

On Mon, Nov 30, 2015 at 6:38 PM, Dave Page <dpage(at)pgadmin(dot)org> wrote:

> Ok, thanks Akshay.
>
> --
> Dave Page
> Blog: http://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EnterpriseDB UK:http://www.enterprisedb.com
> The Enterprise PostgreSQL Company
>
> On 30 Nov 2015, at 12:57, Akshay Joshi <akshay(dot)joshi(at)enterprisedb(dot)com>
> wrote:
>
> Hi Dave
>
> On Mon, Nov 30, 2015 at 10:41 AM, Akshay Joshi <akshay(dot)joshi(at)enterprisedb
> .com> wrote:
>
>> Hi Dave
>>
>> On Fri, Nov 27, 2015 at 3:01 PM, Dave Page <dpage(at)pgadmin(dot)org> wrote:
>>
>>> On Fri, Nov 27, 2015 at 9:23 AM, Sven <svoop_6cedifwf9e(at)delirium(dot)ch>
>>> wrote:
>>> >> The key exchange methods offered when opening an SSH tunnel are all
>>> >> SHA1 and therefore too weak:
>>> >>
>>> >> [sshd] fatal: Unable to negotiate with xxx.xxx.xxx.xxx: no matching
>>> >> key exchange method found. Their offer:
>>> >> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,
>>> >> diffie-hellman-group1-sha1 [preauth]
>>> >
>>> > Any news on this? If there's no easy way to add safer kexes, I suggest
>>> > you disable the SSH feature altogether. SHA1 is dead and IMO nobody
>>> > should trust a connection established with SHA1 kexes in order to talk
>>> > to databases.
>>>
>>> Akshay, you know that code best of all. How do we enable safer kexes?
>>>
>>
>> Today I'll look into it on priority and update accordingly.
>>
>
> I have found that "diffie-hellman-group-exchange-sha256" support
> has been added to the libssh2 code on September 24, it's not released yet.
> Please check https://github.com/libssh2/libssh2/pull/48 . Today I have
> tried to update the libssh2, but facing some compilation issues which needs
> to be fixed. I am working on it and then check do we need to change our
> logic or libssh2 will automatically used "diffie-hellman
> -group-exchange-sha256".
>
>
>>
>>> --
>>> Dave Page
>>> Blog: http://pgsnake.blogspot.com
>>> Twitter: @pgsnake
>>>
>>> EnterpriseDB UK: http://www.enterprisedb.com
>>> The Enterprise PostgreSQL Company
>>>
>>
>>
>>
>> --
>> *Akshay Joshi*
>> *Principal Software Engineer *
>>
>>
>>
>> *Phone: +91 20-3058-9517Mobile: +91 976-788-8246*
>>
>
>
>
> --
> *Akshay Joshi*
> *Principal Software Engineer *
>
>
>
> *Phone: +91 20-3058-9517Mobile: +91 976-788-8246*
>
>

--
*Akshay Joshi*
*Principal Software Engineer *

*Phone: +91 20-3058-9517Mobile: +91 976-788-8246*